baeke.info :: SharePoint 2007: Reporting Services in Integrated Mode and Delegation

About

You arrived at the weblog of Geert Baeke. I am a technology consultant for a company called Xylos (Belgium). I mostly work with Microsoft technologies such as Windows, Active Directory, Exchange, Sharepoint, MSCS, and more. I am also actively busy with VMware's products, focussing on VMware ESX.

Sections

Tutorials

Twitter

follow GeertBaeke at http://twitter.com

XBOX 360

RSS Newsfeeds

Main Page RSS

Sharepoint RSS

Main Page » Technologies » Sharepoint

Previous:	Problem with SharePoint 2007 and Office Integration
Next:	New beta of Windows Live Writer with SharePoint support

SharePoint 2007: Reporting Services in Integrated Mode and Delegation

by rastix on Thu 10 May 2007 08:31 PM CEST | Permanent Link | Cosmos

Since SQL Server 2005 SP2, you can configure SQL Server Reporting Services in SharePoint Integrated mode. In this mode you can upload report files (rdl files) and shared data connection files to SharePoint document libraries and work with them from there.

To get to a report, a user just browses to a SharePoint site and selects a report from a document library.

Depending on your requirements, you can install Reporting Services on the same server as your SharePoint server or on a separate server. But if you install Reporting Services on a separate server, you will have to install SharePoint anyway because Reporting Services needs the SharePoint object model and needs to be part of the farm (see this document for more info). If you install Reporting Services on an existing SharePoint server you are deploying side-by-side and should check this document for more info.

To deploy Reporting Services on a SharePoint server side-by-side, just install Reporting Services and do not create a basic configuration. The basic configuration deploys Reporting Services in native mode. After installation, start the Reporting Services Configuration program to configure the server for integrated mode. You will also need the SQL Server Reporting Services Add-in for SharePoint Technologies. Installation is pretty straightforward and is fully explained in the documentation.

When you run a report, you frequently need to access data on a separate server. If you design a report with a datasource that queries a remote SQL Server, you will have to make sure that your credentials are passed to that server correctly. You basically have two options:

Connect to SharePoint using basic authentication - or -
Connect to SharePoint using Kerberos

You cannot authenticate with NTLM because that protocol does not support double hop.

Basic authentication is the simplest option. You can configure basic authentication with SharePoint Central Administration. When you do so, IIS will be configured appropriately. When a user connects to SharePoint using basic authentication, the password is actually sent to IIS. A connection can be made to a third server with the provided credentials using either NTLM or Kerberos.

The Kerberos option takes more work to implement because it requires service principal names in Active Directory. You configure Kerberos authentication from SharePoint Central Administration and that will also configure IIS for Kerberos. Basically, the NTAuthenticationProviders setting will be set to "Negotiate, NTLM". For more info, see this article.

What are the SPNs you need to set? Well, suppose you have the following scenario where UserX connects to SharePoint (with Reporting Services) and a report needs data from a separate SQL Server:

UserX ----------> SRVSP+RS --------> SRVSQL

UserX will type a name to connect to SharePoint, for example: http://sp.domain.com. For Kerberos authentication to succeed, a Kerberos ticket will need to be passed to IIS. Internet Explorer will request a Kerberos ticket for a service and that service is identified by a service principal name. If you would run a network trace, you would see that Internet Explorer request an SPN in the form of http/<servername typed by user>. So in this case: http/sp.domain.com.

Note: if the website is configured on a different port than 80, do not specify the port on the SPN like http/sp.domain.com:8080. Internet Explorer always uses the FQDN only no matter the port number.

Once the ticket has been acquired, it needs to be passed to the IIS process that hosts the SharePoint web application. In IIS speak, that process is an application pool. An application pool should be configured with a process identity and that should be a domain user account. The SPN of http/sp.domain.local needs to be added to that domain user account. Suppose the domain user account is domain\apppool you would need to use the following command to set the SPN:

setspn -a http/sp.domain.com domain\apppool

The setspn.exe tool is part of the Windows Support Tools on the Windows Server cd. To check that the SPN was set correctly, use the following command:

setspn -l domain\apppool.

Setting the SPN is not enough. For UserX's credentials to be passed from SRVSP+RS to SRVSQL, the domain\apppool account needs to be trusted for delegation. You do this with the Active Directory Users and Computers (ADUC) MMC snap-in. Where you find this option in the GUI depends on the Active Directory functional level. If it is Windows 2000, the option is in the Account tab. If it is WIndows 2003, the option is in a separate Delegation tab. That tab is only visible for accounts that have SPNs registered.

Once the account is trusted for delegation, you need to make sure that the account has enough user rights on the server (SRVSP+RS) to perform the actual delegation. The user right Impersonate a client after authentication is the minimum required. When the application pool account (domain\apppool) is part of IIS_WPG everything should be fine.

One last step is to make sure that the user account that runs SQL Server on SRVSQL also has an SPN. The SPN needs to be MSSQLSrv/fqdn:1433. In this example: MSSQLSvc/srvsql.domain.com:1433.

Besides the above requirements at the server and domain level, there are some requirements at the client level. The client needs to be able to talk to a domain controller on port 88/UDP (Kerberos) and the website must be in the Intranet or Trusted Sites zone.

Posted to:

Sharepoint

Comments

Post a comment

Re: SharePoint 2007: Reporting Services in Integrated Mode and Delegation

by Anonymous on Fri 08 Jun 2007 12:11 PM CEST | Permanent Link

Hi,
I've the same config (MOSS+RS on a server and SQL on another one) as you described and I set up Kerberos (SPN,...). I can see the reports when I'm logged in as a user of the "<site>Owners" group but when it fails when I'm logged in as a user of the "<site>Members or Visitors". The error message ios the following:
System.Web.Services.Protocols.SoapException: The permissions granted to user '<domain>\user1' are insufficient for performing this operation. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user '<domain>\user1' are insufficient for performing this operation.
--- End of inner exception stack trace ---
at Microsoft.ReportingServices.WebServer.ReportingService2005Impl.GetPermissions(String Item, String[]& Permissions)
at Microsoft.ReportingServices.WebServer.ReportingService2006.GetPermissions(String Item, String[]& Permissions)

Do you have any idea what could be wrong? My MOSS site (port 80) is running under domain\app1 account (Kerberos/SPN enabled) and my ReportServer (port 8888) is running under domain\rsapp account (windows and web services, also Kerberos/SPN enabled).
Could you please tell me what is your exact configuration in terms of domain accounts used for IIS, MOSS Site appPool, RS services, RS appPool?

I also tried the "basic auth" setup (changing in MOSS using SCA) but then I got an "unexpected error" message when I try view a report (even as administrator)! When you setup "basic auth", do you also have to remove all the SPNs and delegation settings to make it work?

Thanks in advance for your help 'cause I'm pulling my hairs out for days now!

-Franck

Re: Re: SharePoint 2007: Reporting Services in Integrated Mode and Delegation

by rastix on Wed 13 Jun 2007 07:39 PM CEST | Profile | Permanent Link

Franck,

It seems to be quite complicated. First of all, the issue with basic authentication is explained in a more recent blog post: http://blog.baeke.info/blog/_archives/2007/6/13/3019312.html. It seems you have to configure the _vti_bin/ReportServer virtual directory of your MOSS site with Integrated Auth. and leave the rest at basic. No changes are needed to the SPNs and delegation settings. But I had some issues enabling SSL afterwards. Still looking to solve the SSL issue.

For your other issues, can those users with problems connect to http://url_of_your_reportserver:8888/reportserver and drill down into the MOSS sites to eventually reach the report? Note that to get the report correctly rendered in this way requires Kerberos setup for the domain\rsapp account as well (and delegation settings).

Hope this helps.

Re: SharePoint 2007: Reporting Services in Integrated Mode and Delegation

by Anonymous on Thu 16 Oct 2008 04:30 PM CEST | Permanent Link

Hi.
I’m having some issues with Kerberos running WSS and Reporting Services in “Sharepoint Integrated mode”.

I have the following boxes:
Computername: DC
Role: Domain Controller running the domain: test.local

Computername: SQL2005
Role: SQL 2005 Standard edition with SP2 and Reporting Services in “Sharepoint Integrated mode”
RS Site: http://sql2005/Reportingservices

Computername: WSS3
Role: WSS ver. 3
Sites:
Default website: http://wss3.test.local (same as hostname)
Company site: http://work.test.local (this is the actual site we will use)
Central Admin site: http://wss3.test.local:6049

My Problem is:
When I click “Set Server Defaults” in “application management” (Central Administrations) on http://wss3.test.local:6049 from my DC or SQL2005 server I get the following error:
An unexpected error occurred while connecting to the report server. Verify that the report server is available and configured for SharePoint integrated mode.

If I do the same from WSS3 – “Set Server Defaults” work fine!

Some more info about my configuration:
I’ve created the following SPNs:
setspn.exe -A http/wss3 test\spsrv
setspn.exe -A http/wss3.test.local test\spsrv
setspn.exe -A http/wss3:6049 test\spsrv
setspn.exe -A http/wss3.test.local:6049 test\spsrv
setspn.exe -A http/work test\spapwp
setspn.exe -A http/work.test.local test\spapwp
setspn.exe -A http/sql2005 test\rssvc
setspn.exe -A http/sql2005.test.local test\rssvc

I’ve set up delegation for the following Computers / Account:
SQL2005 (computer)
WSS3 (computer)
SPSRV (user)
SPAPWP (user)
RSSVC (user)

I’ve set up various permissions in Component Services:
Default Impersonation Level = Delegate (on WSS3)
IIS WAMREG Admin Service
 Security tab
Launch and Activate Permissions
 Grant SPSRV and SPAPWP, 'Local Activation' permissions (on WSS3)

Re: Re: SharePoint 2007: Reporting Services in Integrated Mode and Delegation

by Anonymous on Thu 16 Oct 2008 04:31 PM CEST | Permanent Link

Regards Christian

Post comment:

	Receive comment notifications for this article
Subject:
Comment:

Comment verification:

Please enter the text you see inside the graphic to post your comment:

You are not currently logged in. If you would like your user information to be displayed with your comment, please enter your login information below.