Reporting Services 2008 - Anonymous Access

Question

Hello,

 

In SSRS 2005 I was able to grant anonymous access to my reports by changing the authentication mode for the Reporting Services virtual directory in IIS to Anonymous and then adding the 'account used for anonymous access' to the permissions on the appropriate Reporting Services directories (in report manager).

 

Now with SSRS 2008 there are no virtual directories in IIS.

 

I tried to follow the instructions given:

 

http://technet.microsoft.com/en-us/library/cc281310.aspx (Authentication Types in Reporting Services)

 

Which instructed me to use the custom AuthenticationType, and following the instructions here:

 

http://technet.microsoft.com/en-us/library/cc281383.aspx (How to: Configure Custom or Forms Authentication in Reporting Services)

 

which just got me an error:

• The Authentication Extension threw an unexpected exception or returned a value that is not valid: . (rsAuthenticationExtensionError) Get Online Help
  • For more information about this error navigate to the report server on the local server machine, or enable remote errors

 

Any ideas on how to set up anonymous access to SSRS2008?

 

Thanks for any time and help!

 

-Tim

Answer 1

I have this issue also, so hopefully someone will post an answer soon.

 

-Scott

Answer 2

Refer to http://blogs.msdn.com/jameswu/archive/2008/07/15/anonymous-access-in-sql-rs-2008.aspx

 

Answer 3

Thanks Neeraja for your response... I will attempt an implementation on a Virtual Machine.

 

Though, I do not feel comfortable circumventing security features that Microsoft implemented in their SSRS 2008 product ( based on the first few paragraphs of your blog: http://blogs.msdn.com/jameswu/archive/2008/07/15/anonymous-access-in-sql-rs-2008.aspx )

 

Let me suggest a discussion point:

 

I am having trouble understanding why Microsoft would eliminate any way of providing reports (view only) to anonymous users. Lets say a web developer (not an application developer) at my company wants to add a link to a static public web page that generates a PDF of the current Schedule of Events Report based on information in a SQL database. We were previously able to do something like that using SSRS 2005.

 

What does Microsoft/others suggest as a solution in such a case?

 

 

 

Thank everyone for any and all help!

 

-Tim

Answer 4

Hi Tim,

 

I am interested in your SSRS 2005 solution. Using IIS anonymous authentication, were you able to enable administrative capabilities on certain accounts?

 

The custom authentication extension solution in SSRS2008 can provide view only experience if the auth extension is coded that way. However I am trying to think of how you can enable an admin account in SSRS2008 and SSRS2005.

 

Thanks! James, Oct. 13, 2008

Answer 5

James,

 

I am not quite sure this will answer your question but here is how I setup my anonymous SSRS 2005 solution:

 

1) Standard install of SSRS 2005 (Integrated authentication)

2) In IIS, duplicate the ReportingServices virtual directory and name it Public

3) Under Public properties set Directory Security - Authentication and Access Control - to Enable Anonymous access using the IUSR_<machine_name> account. Uncheck all other access types.

4) Using the report manager, set up a folder named Public, and added the IUSR_<machine_name> account to the Public directory role manager with a viewonly role. (Assuming you have already established a viewonly role as one with only the 'view reports' task enabled.)

5) Add any other types of administrative/developer accounts

 

NOTE: The public role only views reports directly from the public virtual directory via a URL. All developers and admins work with the public directory through the Report Manager or ReportingService directory (deploying reports etc.)

 

Hope this helps.

 

This is what I was hoping to be able to do in SSRS 2008...

 

-Tim

 

 

 

 

Answer 6

Hi James,

We are in a similar situation.  Our servers are hosted offsite by a internet hosting company.  We have two servers (Web and SQL servers).  Currently, we have have two virtual IIS sites to RS 2005 using two ports on the SQL server.  Port 83 is anonymous so that users can run the reports from our web application (ASP 1.1 on Web server) in the internet.  Port 85 is for administration (deployment of reports) and it is windows authenticated.  We want to do the same setup in RS 2008.  How can we do this with minimal change?

 

Thanks

Answer 7

It looks like what you have in common is a duplicate RM (report manager) virtual directory that have anonymous auth enabled. The problem is that in SSRS2008 you cannot duplicate virtual directories like you were able to on a general web server such as IIS.

 

Unfortunately there isn't an easy alternative in SSRS2008. If you can afford to install a second instance and configure a web farm, you can make the second instance anonymous. Another solution is to create a front end application using the viewer control, and enable anonymous authentication there.

 

I am not sure what we can do for SSRS2008. Please open an issue on http://connect.microsoft.com/. Let me know which route you decided to take.

Answer 8

James,

 

I have duplicated the ReportingServices virtual directory in SSRS 2005 as I do not care to have the public doing any browsing/managing of reports.

 

But, regardless, your second paragraph describes the the SSRS 2008 conclusion that I have been coming to.

 

I was in the processes of setting up a second instance of SSRS 2008 as discussed by Neeraja in his third post of this thread when I abandon it in favor of the idea of a public front end application using the Microsoft Report Viewer 2008 SP1 (09.00.30729.01). I assume this one is compatible with SSRS 2008.

 

The idea being to create a default .net application in a 'PublicReporting' virtual directory which will be a simple implementation of the Report Viewer with the ability to accept the name of the public report, report parameters, and possibly any rendering options as POST/GET variables of the referring URL.

 

In my case the report viewer default application will only display reports from a 'Public' folder on the Reporting Services Server, it will connect using the most restricted account available, and the account will only have access to that 'Public' folder.

 

Any links or samples of report viewer code would be greatly appreciated, especially any that deal with authentication to SSRS 2008.

 

If successful I will post my modest solution to the thread.

 

Thanks for all help!

 

-Tim

 

Answer 9

Tim

I tried your solution worked great for a day.
The next day I keep getting js error like
'RsClientController' is undefined
and
'ClientControllerReportViewerControl' is null or not an object

the reports are being published directly from visual studio. I don't edit the code.

Any idea about what is causing this error?

Thanks

Answer 10

I was able to mimic anonymous access via the application pool security credentials and report viewer inside my application. Here are the steps:

1. I create a new user in my Windows 2008 server. (i.e. ReportingServices)
2. Created a classic application pool, and assigned the identity execution to my new ReportingServices account in the server
3. Associated the ReportingServices credential to a browser role inside the report server (http://localhost/Reports) for the report being rendered inside my asp.net application using the report viewer. (Folders above reports are still locked, so no browsing allowed)
4. Disabled prompting for report parameters and desabled default values for paramters (can't render report from portal now)
5. Set default parameter values via the parameter array of my report viewer.
6. associated ASP.Net application to application pool being ran by my ReportingSevices credentials
7. Successfully impersonated user in reporting services hence implementing quasi anonymous access.

Hope this helps someone.

Answer 11

J C,

Thanks for the detailed instructions!
Worked fine for me.


MP

Answer 12

JC,

I try to apply the different step. I have a new user specific for the browse, i associed the ReportingServices credential to a browser role, but i don't not where we can set  the parameter array and where i can associated ASP.NET application to application pool. have i to go in IIS ??

Thank for your reply ?

Crafty

Answer 13

Yes, under IIS, there is an Application Pools section, expand that, find the application pool you assigned to your web application hosting your reports, and ensure that application pool's credetntials are the same you assigned to your browser role's account.
In my case, I have an application at http://JC-VS2008/enGaugedTraining That enGaugedTraining virtual directory in IIS is being ran using the enGaugedTrainigAppPool clasic application pool, that assigned pool is using my JC-VS2008\ReportingServices credentials, so when the web application runs using the report viewer control, it uses the web applciation's credentials (via the app pool) to run the report, and since that credential is part of the role "browse" VOILA! you get impersonated anonymous access. The parameter array is the list of parameters in the report which has been published, edit the report using the report server instance (in my case http://JC-VS2008/Reports and select parameters, choose hide, and also uncheck "default" values if any for each parameter. This locks the report and prevents anyone outside the web application from running the report.
J.C.

Answer 14

JC,

Thank you for your reply. It's help me to set correct paramters for the reports.
Finally i associated my associated ASP.NET to the application pool where i put the local user (right Browse in the report Manager).

Now when i browse the report i have to prompt credentials. When i use the local user, i get the report correctly. But i would like not to have to prompt credential when i click on the link from my web application. I made a response.Redirect on the website and i used a specific user (who has the right browse) as you mentionned.

Crafty.

Answer 15

Ensure that inside the same folder, you create a shared data source with the impersonated user having security for it. Associate the report's data source with that new data source (and not the embedded one). When integrating the report from the application, make sure you use report viewer, and pass the parameter array to it. also The report path in my case would be: http://JC-VS2008/Reports/Folder/ReportName?Parameters etc... the ReportViewer URL would be http://JC-VS2008/ReportServer/
Good luck

Answer 16

JC,

thanks for your instructions.

refer to your step 2, my problem is my intranet server and the sql server are separated. So is it means that i need to create a application pool on the intranet server? or sql server? 

yuen

Answer 17

The application pool has to be on the server where ther web application hosting the reports is located.

If you create a domain account, or an account that access to both servers, you should be able to give that account access to the sql server hosting the reportserver and reportservertempdb databases. In a escaled out scenario, you could intall reporting services portal on the web server, (DMZ) yet have the reporting services databases intalled in the sql server in the SQL server, configure the report server to run the dB of the sql server in the LAN. When configuring it, you should be able to set that accoutn with read access to the report server databases, and when the web application runnin under that app pool credentials loads the report, it will use the default credentials from the app pool

Answer 18

JC,

Thanks for your reply. But i still no idea which server i need to create the application pool.

for my case, my reportserver is in my sql server, i deployed all my reports to my sql server, and then i call the reports from the code which hosted at the web server. For reporting service 2005, i set the anonymouse access at the sql server -->IIS -->Reports.. and then it works.

At my web server, i have a application pool "DefaultAppPool" which my web application "HR" belong to. but the application "HR" just have the code to call the reports, not ".rdl" files in this folder, all reports was deployed to the sql server. so i think i should set the application pool identity at the sql server, but at the sql server, via the IIS, i can not find any applications, where i can find he web application and assigned it to use the application pool which i created?   

Answer 19

JC,

I check the solution on net and get following:

----
First create a class called ReportServerCredentials that implements the IReportServerCredentials interface.  You will need to import System.Net and Microsoft.Reporting.WebForms to this class.  Overload the New and GetFormsCredentials methods and the NetworkCredentials and ImpersonationUser properties.  Here's a class that I use:

Imports Microsoft.VisualBasic
Imports Microsoft.Reporting.WebForms
Imports System.Net

Public Class ReportServerCredentials
    Implements IReportServerCredentials

    Private _userName As String
    Private _password As String
    Private _domain As String

    Public Sub New(ByVal userName As String, ByVal password As String, ByVal domain As String)
        _userName = userName
        _password = password
        _domain = domain
    End Sub

    Public ReadOnly Property ImpersonationUser() As System.Security.Principal.WindowsIdentity Implements Microsoft.Reporting.WebForms.IReportServerCredentials.ImpersonationUser
        Get
            Return Nothing
        End Get
    End Property

    Public ReadOnly Property NetworkCredentials() As ICredentials Implements Microsoft.Reporting.WebForms.IReportServerCredentials.NetworkCredentials
        Get
            Return New NetworkCredential(_userName, _password, _domain)
        End Get
    End Property

    Public Function GetFormsCredentials(ByRef authCookie As System.Net.Cookie, ByRef userName As String, ByRef password As String, ByRef authority As String) As Boolean Implements Microsoft.Reporting.WebForms.IReportServerCredentials.GetFormsCredentials
        userName = _userName
        password = _password
        authority = _domain
        Return Nothing
    End Function
End Class

Next, in the OnLoad of your page with the ReportViewer control, create a new instance of your ReportServerCredentials (I use values stored in AppSettings).  Then assign your object to the ReportViewer control's ServerReport.ReportServerCredentials property. 

Dim cred As New ReportServerCredentials(ConfigurationManager.AppSettings("MyStoredUser"),_
    ConfigurationManager.AppSettings("MyStoredPassword"), _
    ConfigurationManager.AppSettings("MyStoredDomain"))
   
    MyReportViewerControl.ServerReport.ReportServerCredentials = cred

---


I try it but get following error

Compiler Error Message: BC30002: Type 'IReportServerCredentials' is not defined.

Do you think it is a possible way for Reporting Service 2008? if yes, what lead to the error? thanks in advance.

Answer 20

Can you please tell me step by step how you used to carry out the Anonymous access task in SQL 2005. I am absolutely clueless about it. Will be great if you could tell me step by step... This is really urgent.

Thanks.

Answer 21

Is not access to SQL 2005, but to Reporting Services wihtin SQL 2008/2005. The first post in this thread tells you the steps for anonymous access to Reporting Services in 2005. Enable anonymous access in the web application (IIS) rendering the reports, and give that account browser access to the report in Reporting Services via the portal (i.e. http://localhost/Reports )

Answer 22

Sitting with the same problem
Has Microsoft not yet learnt their lesson from VISTA
Give the people what they want
They can develop a service pack to enable  Anonymous Access, but they wont
They think they know what you need
This same problem has been asked to be rectified since 2005
My AA reports where running fine  with 2005
My initial test of 2008 is brilliant work guys
It`s a pity that disabling AA went and messed up the product
I work for a government department and we have six servers to upgrade
My report will state We will be sticking to 2005

Lets hope and pray the developers get a  patch out to correct this

Cheers

Answer 23

James not all guys are as learned

So a request to all Guys

Put down detailed instructions for the novice from A to Z

Or have a seperate web site detailing all your instructions

Answer 24

RubSay

It all lies in your Internet Information Server
The Web Sites ,Default Web Site , Report Server and Reports

You have to go to properties of each on
Choose directory security
And edit the anonymous access