none
Reporting Services 2008 - Anonymous Access

    Question

  • Hello,

     

    In SSRS 2005 I was able to grant anonymous access to my reports by changing the authentication mode for the Reporting Services virtual directory in IIS to Anonymous and then adding the 'account used for anonymous access' to the permissions on the appropriate Reporting Services directories (in report manager).

     

    Now with SSRS 2008 there are no virtual directories in IIS.

     

    I tried to follow the instructions given:

     

    http://technet.microsoft.com/en-us/library/cc281310.aspx (Authentication Types in Reporting Services)

     

    Which instructed me to use the custom AuthenticationType, and following the instructions here:

     

    http://technet.microsoft.com/en-us/library/cc281383.aspx (How to: Configure Custom or Forms Authentication in Reporting Services)

     

    which just got me an error:

    • The Authentication Extension threw an unexpected exception or returned a value that is not valid: . (rsAuthenticationExtensionError) Get Online Help
      • For more information about this error navigate to the report server on the local server machine, or enable remote errors

     

    Any ideas on how to set up anonymous access to SSRS2008?

     

    Thanks for any time and help!

     

    -Tim

    Monday, October 13, 2008 9:08 PM

Answers

  • It looks like what you have in common is a duplicate RM (report manager) virtual directory that have anonymous auth enabled. The problem is that in SSRS2008 you cannot duplicate virtual directories like you were able to on a general web server such as IIS.

     

    Unfortunately there isn't an easy alternative in SSRS2008. If you can afford to install a second instance and configure a web farm, you can make the second instance anonymous. Another solution is to create a front end application using the viewer control, and enable anonymous authentication there.

     

    I am not sure what we can do for SSRS2008. Please open an issue on http://connect.microsoft.com/. Let me know which route you decided to take.

    Tuesday, October 14, 2008 8:18 PM

All replies

  • I have this issue also, so hopefully someone will post an answer soon.

     

    -Scott
    Monday, October 13, 2008 9:54 PM
  • Thanks Neeraja for your response... I will attempt an implementation on a Virtual Machine.

     

    Though, I do not feel comfortable circumventing security features that Microsoft implemented in their SSRS 2008 product ( based on the first few paragraphs of your blog: http://blogs.msdn.com/jameswu/archive/2008/07/15/anonymous-access-in-sql-rs-2008.aspx )

     

    Let me suggest a discussion point:

     

    I am having trouble understanding why Microsoft would eliminate any way of providing reports (view only) to anonymous users. Lets say a web developer (not an application developer) at my company wants to add a link to a static public web page that generates a PDF of the current Schedule of Events Report based on information in a SQL database. We were previously able to do something like that using SSRS 2005.

     

    What does Microsoft/others suggest as a solution in such a case?

     

     

     

    Thank everyone for any and all help!

     

    -Tim

    Monday, October 13, 2008 11:19 PM
  • Hi Tim,

     

    I am interested in your SSRS 2005 solution. Using IIS anonymous authentication, were you able to enable administrative capabilities on certain accounts?

     

    The custom authentication extension solution in SSRS2008 can provide view only experience if the auth extension is coded that way. However I am trying to think of how you can enable an admin account in SSRS2008 and SSRS2005.

     

    Thanks! James, Oct. 13, 2008

    Tuesday, October 14, 2008 12:36 AM
  • James,

     

    I am not quite sure this will answer your question but here is how I setup my anonymous SSRS 2005 solution:

     

    1) Standard install of SSRS 2005 (Integrated authentication)

    2) In IIS, duplicate the ReportingServices virtual directory and name it Public

    3) Under Public properties set Directory Security - Authentication and Access Control - to Enable Anonymous access using the IUSR_<machine_name> account. Uncheck all other access types.

    4) Using the report manager, set up a folder named Public, and added the IUSR_<machine_name> account to the Public directory role manager with a viewonly role. (Assuming you have already established a viewonly role as one with only the 'view reports' task enabled.)

    5) Add any other types of administrative/developer accounts

     

    NOTE: The public role only views reports directly from the public virtual directory via a URL. All developers and admins work with the public directory through the Report Manager or ReportingService directory (deploying reports etc.)

     

    Hope this helps.

     

    This is what I was hoping to be able to do in SSRS 2008...

     

    -Tim

     

     

     

     

    Tuesday, October 14, 2008 3:50 PM
  • Hi James,

    We are in a similar situation.  Our servers are hosted offsite by a internet hosting company.  We have two servers (Web and SQL servers).  Currently, we have have two virtual IIS sites to RS 2005 using two ports on the SQL server.  Port 83 is anonymous so that users can run the reports from our web application (ASP 1.1 on Web server) in the internet.  Port 85 is for administration (deployment of reports) and it is windows authenticated.  We want to do the same setup in RS 2008.  How can we do this with minimal change?

     

    Thanks

    Tuesday, October 14, 2008 4:06 PM
  • It looks like what you have in common is a duplicate RM (report manager) virtual directory that have anonymous auth enabled. The problem is that in SSRS2008 you cannot duplicate virtual directories like you were able to on a general web server such as IIS.

     

    Unfortunately there isn't an easy alternative in SSRS2008. If you can afford to install a second instance and configure a web farm, you can make the second instance anonymous. Another solution is to create a front end application using the viewer control, and enable anonymous authentication there.

     

    I am not sure what we can do for SSRS2008. Please open an issue on http://connect.microsoft.com/. Let me know which route you decided to take.

    Tuesday, October 14, 2008 8:18 PM
  • James,

     

    I have duplicated the ReportingServices virtual directory in SSRS 2005 as I do not care to have the public doing any browsing/managing of reports.

     

    But, regardless, your second paragraph describes the the SSRS 2008 conclusion that I have been coming to.

     

    I was in the processes of setting up a second instance of SSRS 2008 as discussed by Neeraja in his third post of this thread when I abandon it in favor of the idea of a public front end application using the Microsoft Report Viewer 2008 SP1 (09.00.30729.01). I assume this one is compatible with SSRS 2008.

     

    The idea being to create a default .net application in a 'PublicReporting' virtual directory which will be a simple implementation of the Report Viewer with the ability to accept the name of the public report, report parameters, and possibly any rendering options as POST/GET variables of the referring URL.

     

    In my case the report viewer default application will only display reports from a 'Public' folder on the Reporting Services Server, it will connect using the most restricted account available, and the account will only have access to that 'Public' folder.

     

    Any links or samples of report viewer code would be greatly appreciated, especially any that deal with authentication to SSRS 2008.

     

    If successful I will post my modest solution to the thread.

     

    Thanks for all help!

     

    -Tim


     

    Tuesday, October 14, 2008 11:53 PM
  • Tim

    I tried your solution worked great for a day.
    The next day I keep getting js error like
    'RsClientController' is undefined
    and
    'ClientControllerReportViewerControl' is null or not an object

    the reports are being published directly from visual studio. I don't edit the code.

    Any idea about what is causing this error?

    Thanks

    Thursday, December 11, 2008 2:54 PM
  • I was able to mimic anonymous access via the application pool security credentials and report viewer inside my application. Here are the steps:

    1. I create a new user in my Windows 2008 server. (i.e. ReportingServices)
    2. Created a classic application pool, and assigned the identity execution to my new ReportingServices account in the server
    3. Associated the ReportingServices credential to a browser role inside the report server (http://localhost/Reports) for the report being rendered inside my asp.net application using the report viewer. (Folders above reports are still locked, so no browsing allowed)
    4. Disabled prompting for report parameters and desabled default values for paramters (can't render report from portal now)
    5. Set default parameter values via the parameter array of my report viewer.
    6. associated ASP.Net application to application pool being ran by my ReportingSevices credentials
    7. Successfully impersonated user in reporting services hence implementing quasi anonymous access.

    Hope this helps someone.

    • Proposed as answer by J C Novoa Friday, January 02, 2009 5:15 PM
    Friday, January 02, 2009 4:31 PM
  • J C,

    Thanks for the detailed instructions!
    Worked fine for me.


    MP
    Friday, January 16, 2009 2:48 AM
  • JC,

    I try to apply the different step. I have a new user specific for the browse, i associed the ReportingServices credential to a browser role, but i don't not where we can set  the parameter array and where i can associated ASP.NET application to application pool. have i to go in IIS ??

    Thank for your reply ?

    Crafty
    Tuesday, February 03, 2009 4:51 PM
  • Yes, under IIS, there is an Application Pools section, expand that, find the application pool you assigned to your web application hosting your reports, and ensure that application pool's credetntials are the same you assigned to your browser role's account.
    In my case, I have an application at http://JC-VS2008/enGaugedTraining That enGaugedTraining virtual directory in IIS is being ran using the enGaugedTrainigAppPool clasic application pool, that assigned pool is using my JC-VS2008\ReportingServices credentials, so when the web application runs using the report viewer control, it uses the web applciation's credentials (via the app pool) to run the report, and since that credential is part of the role "browse" VOILA! you get impersonated anonymous access. The parameter array is the list of parameters in the report which has been published, edit the report using the report server instance (in my case http://JC-VS2008/Reports and select parameters, choose hide, and also uncheck "default" values if any for each parameter. This locks the report and prevents anyone outside the web application from running the report.
    J.C.
    Tuesday, February 03, 2009 5:17 PM
  • JC,

    Thank you for your reply. It's help me to set correct paramters for the reports.
    Finally i associated my associated ASP.NET to the application pool where i put the local user (right Browse in the report Manager).

    Now when i browse the report i have to prompt credentials. When i use the local user, i get the report correctly. But i would like not to have to prompt credential when i click on the link from my web application. I made a response.Redirect on the website and i used a specific user (who has the right browse) as you mentionned.

    Crafty.
    Wednesday, February 04, 2009 11:53 AM
  • Ensure that inside the same folder, you create a shared data source with the impersonated user having security for it. Associate the report's data source with that new data source (and not the embedded one). When integrating the report from the application, make sure you use report viewer, and pass the parameter array to it. also The report path in my case would be: http://JC-VS2008/Reports/Folder/ReportName?Parameters etc... the ReportViewer URL would be http://JC-VS2008/ReportServer/
    Good luck
    Wednesday, February 04, 2009 3:16 PM
  • JC,

    thanks for your instructions.

    refer to your step 2, my problem is my intranet server and the sql server are separated. So is it means that i need to create a application pool on the intranet server? or sql server? 

    yuen

    Friday, February 20, 2009 9:55 AM
  • The application pool has to be on the server where ther web application hosting the reports is located.

    If you create a domain account, or an account that access to both servers, you should be able to give that account access to the sql server hosting the reportserver and reportservertempdb databases. In a escaled out scenario, you could intall reporting services portal on the web server, (DMZ) yet have the reporting services databases intalled in the sql server in the SQL server, configure the report server to run the dB of the sql server in the LAN. When configuring it, you should be able to set that accoutn with read access to the report server databases, and when the web application runnin under that app pool credentials loads the report, it will use the default credentials from the app pool

    Friday, February 20, 2009 11:53 PM
  • JC,

    Thanks for your reply. But i still no idea which server i need to create the application pool.

    for my case, my reportserver is in my sql server, i deployed all my reports to my sql server, and then i call the reports from the code which hosted at the web server. For reporting service 2005, i set the anonymouse access at the sql server -->IIS -->Reports.. and then it works.

    At my web server, i have a application pool "DefaultAppPool" which my web application "HR" belong to. but the application "HR" just have the code to call the reports, not ".rdl" files in this folder, all reports was deployed to the sql server. so i think i should set the application pool identity at the sql server, but at the sql server, via the IIS, i can not find any applications, where i can find he web application and assigned it to use the application pool which i created?   

    Monday, March 02, 2009 8:55 AM
  • JC,

    I check the solution on net and get following:

    ----
    First create a class called ReportServerCredentials that implements the IReportServerCredentials interface.  You will need to import System.Net and Microsoft.Reporting.WebForms to this class.  Overload the New and GetFormsCredentials methods and the NetworkCredentials and ImpersonationUser properties.  Here's a class that I use:

    Imports Microsoft.VisualBasic
    Imports Microsoft.Reporting.WebForms
    Imports System.Net

    Public Class ReportServerCredentials
        Implements IReportServerCredentials

        Private _userName As String
        Private _password As String
        Private _domain As String

        Public Sub New(ByVal userName As String, ByVal password As String, ByVal domain As String)
            _userName = userName
            _password = password
            _domain = domain
        End Sub

        Public ReadOnly Property ImpersonationUser() As System.Security.Principal.WindowsIdentity Implements Microsoft.Reporting.WebForms.IReportServerCredentials.ImpersonationUser
            Get
                Return Nothing
            End Get
        End Property

        Public ReadOnly Property NetworkCredentials() As ICredentials Implements Microsoft.Reporting.WebForms.IReportServerCredentials.NetworkCredentials
            Get
                Return New NetworkCredential(_userName, _password, _domain)
            End Get
        End Property

        Public Function GetFormsCredentials(ByRef authCookie As System.Net.Cookie, ByRef userName As String, ByRef password As String, ByRef authority As String) As Boolean Implements Microsoft.Reporting.WebForms.IReportServerCredentials.GetFormsCredentials
            userName = _userName
            password = _password
            authority = _domain
            Return Nothing
        End Function
    End Class

    Next, in the OnLoad of your page with the ReportViewer control, create a new instance of your ReportServerCredentials (I use values stored in AppSettings).  Then assign your object to the ReportViewer control's ServerReport.ReportServerCredentials property. 

    Dim cred As New ReportServerCredentials(ConfigurationManager.AppSettings("MyStoredUser"),_
        ConfigurationManager.AppSettings("MyStoredPassword"), _
        ConfigurationManager.AppSettings("MyStoredDomain"))
       
        MyReportViewerControl.ServerReport.ReportServerCredentials = cred

    ---


    I try it but get following error

    Compiler Error Message: BC30002: Type 'IReportServerCredentials' is not defined.

    Do you think it is a possible way for Reporting Service 2008? if yes, what lead to the error? thanks in advance.


    Monday, March 02, 2009 9:04 AM
  • Can you please tell me step by step how you used to carry out the Anonymous access task in SQL 2005. I am absolutely clueless about it. Will be great if you could tell me step by step... This is really urgent.

    Thanks.
    Sunday, May 24, 2009 8:08 AM
  • Is not access to SQL 2005, but to Reporting Services wihtin SQL 2008/2005. The first post in this thread tells you the steps for anonymous access to Reporting Services in 2005. Enable anonymous access in the web application (IIS) rendering the reports, and give that account browser access to the report in Reporting Services via the portal (i.e. http://localhost/Reports )
    Monday, May 25, 2009 9:53 PM
  • Sitting with the same problem
    Has Microsoft not yet learnt their lesson from VISTA
    Give the people what they want
    They can develop a service pack to enable  Anonymous Access, but they wont
    They think they know what you need
    This same problem has been asked to be rectified since 2005
    My AA reports where running fine  with 2005
    My initial test of 2008 is brilliant work guys
    It`s a pity that disabling AA went and messed up the product
    I work for a government department and we have six servers to upgrade
    My report will state We will be sticking to 2005

    Lets hope and pray the developers get a  patch out to correct this

    Cheers
    Tuesday, July 07, 2009 8:05 AM
  • James not all guys are as learned

    So a request to all Guys

    Put down detailed instructions for the novice from A to Z

    Or have a seperate web site detailing all your instructions


    Tuesday, July 07, 2009 8:08 AM
  • RubSay

    It all lies in your Internet Information Server
    The Web Sites ,Default Web Site , Report Server and Reports

    You have to go to properties of each on
    Choose directory security
    And edit the anonymous access
    Wednesday, July 08, 2009 9:47 AM
  • J C,

    Thanks for the helpful info. I'm attempting to configure SSRS 2008 with anonymous access using the technique you described above. I'll admit I'm a bit of a novice but I thought I understood the concept of what you outlined. Apparently, I'm missing something, however, because I can't seem to get it to work.

    One possibility, however, is that our application is a php application, not a .net application. I'm wondering if that makes any difference. I've configured the php web app pool to impersonate the windows account that has access to the report server folders. In the php page, we have a query which selects a list of reports from the ReportServer.Catalog table using some filter criteria to narrow the list of available reports. Each report is presented as a link. By clicking the link and providing the proper credentials, the user will open the report viewer and run the report. We are trying to eliminate the credentials prompt and go straight to the report viewer but nothing seems to work. I'm not thrilled with enabling anonymous access completely but rather impersonate it using your described method.

    Any suggestions would be GREATLY appreciated!

    Doug

    Saturday, June 19, 2010 4:30 PM
  • Jakes,

    In ReportServer 2008, the Virtual Directories do not appear within IIS, otherwise Im sure we would've all figured it out by now :)

    eHusband

    Friday, August 13, 2010 12:16 AM
  • Hi Tim,

    I configured your anonymous SSRS 2005 solution and it is working, but I still have a little issue. Did you try to pass parameters via URL? I tried in the same way as you can do it in the report server. Example:

    http://servername/public/Pages/Report.aspx?ItemPath=/Public/ReportName&rs:Command=Render&rc:parameters=false&ParameterName=ParameterValue

    It opens the report but it does not recognize the parameters specified in the url and it does not hide the parameters section. So, I will appreciate if you or somebody else have found a solution for that.

    Thanks

    Friday, September 03, 2010 8:02 PM
  • Hi,

    I resolved my problem, I had the "Public" virtual directory mapping to the Report Manager with anonymous access such as Tim mentioned in his SSRS 2005 solution, but the Report Manager does not recognize the parameters sent by URL, then I mapped the "Public" virtual directory to the Report Server instead of Report Manager and it worked!!!. Now, I have my reports working with anonymous access and I can call them using URLs.

    Regards

    Tuesday, September 14, 2010 6:31 PM
  • J C, how would I modify your method to apply to the ReportServer only and leave Reports as is?
    Thursday, March 17, 2011 10:15 PM
  • hi james

    http://technet.microsoft.com/en-za/library/cc281383(en-us).aspx how to implement this article..

     

     

    i have doubt in 12 th point.

    please help me..

    1. Add the PassThroughCookies element structure to the configuration file. For more information, see Enabling Report Manager to Pass Custom Authentication Cookies.


    indu
    Tuesday, November 08, 2011 9:02 AM
  • hi james

     

    i implemented ur article.(http://blogs.msdn.com/jameswu/archive/2008/07/15/anonymous-access-in-sql-rs-2008.aspx ))

    but u said that

    DO NOT USE ANONYMOUS AUTH!

    NEVER USE IT IN PRODUCTION ENVIRONMENT!

     

    but production server waht can i use please suggest me.


    indu
    Monday, November 14, 2011 9:23 AM
  • Hi all,

    i found a very simple Solution:

    1. in the rsreportserver.config add in the <AuthenticationTypes> the Windows Basic Authentication:<RSWindowsBasic/>

    2. Install apache >= 2.2 in the same machine (use other port than 80) or on a other machine

    3. activate mod_prox_http
    4. Create a Browser User fpr Reporting service (for example "reportusr" with password "this@yourMachinepassw0rd")

    5. define <Location> in http.conf

    <Location /ReportServer>
      ProxyPass http://<your_report_server>/ReportServer
      ProxyPassReverse http://<your_report_server>/ReportServer
      AuthBasicFake reportusr this@yourMachinepassw0rd
      Order deny allow
      Allow from all
    </Location>

    Now you can access the reportserver and all Reports over the apache Webserver with no authentication, becaus always the AuthBasicFake user connects to the reportServer with BasicAuthentication




    • Edited by klaus szilvas Saturday, July 20, 2013 11:26 AM orthographie
    Saturday, July 20, 2013 11:23 AM
  • Oh,  that's great.

    But  Apache "AuthBasicFake" option  can be used in Apache 2.4.x

    Apache for win32  bin is 2.2 ver in time(18-Dec-2013 )

    How can I use "AuthBasicFake"option?


    • Edited by 2 Pro Wednesday, December 18, 2013 8:27 AM
    Wednesday, December 18, 2013 6:07 AM