December 23, 2011 at 3:18 pm
Again I apologize if this post needs to be in a different section.
We have an application that is linked to AD. When we login to the application, our domain name auto fills into the domain area and we key in our login and password, we're in. This application used to use strictly SQL authentication. When we were using SQL authentication, I had no problems with people running reports from this server. Since the application now uses AD, nobody can use it unless we change their password on the SQL server to something they would know and then they can run my reports. I don't want to have to do this.
On SSRS I've tried to have the users login using the domain in the login and their domain password ie...
[domain]\
[domain password]
In the setup of the report I've marked the choice for "Prompt for credentials" and I've also marked "Use Windows Authentication (Integrated Security)" and neither work.
I've seen a few articles that mention the "double hop" scenario but the instructions would involve me asking our Network admin to help me with this in regards to changing things at the domain level. I was wondering if anyone could give some input before I drag someone else into this problem?
TIA,
John
December 29, 2011 at 9:50 am
Hope if I understand you. If the same user that logs into the application needs to login to reportserver you need double hop authentication. So your admin needs to setup Kerberos for double hop authentication to work. Otherwise you end up with a Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON error.
You could try to run the reports under a different fixed AD user. I'm not sure if this is possible in your configuration.
I know we had the same kind of issue in our organization and the solution was to setup a SPN and use Kerberos authentication.
__________________
MS-SQL / SSIS / SSRS junkie
Visit my blog at dba60k.net
January 2, 2012 at 11:49 am
peterjonk (12/29/2011)
Hope if I understand you. If the same user that logs into the application needs to login to reportserver you need double hop authentication. So your admin needs to setup Kerberos for double hop authentication to work. Otherwise you end up with a Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON error.You could try to run the reports under a different fixed AD user. I'm not sure if this is possible in your configuration.
I know we had the same kind of issue in our organization and the solution was to setup a SPN and use Kerberos authentication.
The plan is to have users login to Citrix server A (using internet explorer) to connect to server B (running SSRS) which pulls information from server C which houses the SQL Server.
I keep reading about the double hop issue but I'm thinking it requires a reboot if we have to setup service principle names (SPN's). Rebooting domain controllers are a rare occasion for us which I think is required after putting SPN's in place. I've already tried giving delegation rights to users and the SSRS server at the domain level but to no avail.
All SQL services (including SSRS) are running under a domain admin equivalent and it's still not working so I'm leaning more towards the double hop issue....and having to put SPN's in place. Once I can get a domain admin equivalent account working, I'll lower the access level to that account that runs those services.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply