none
Setting permissions for accessing reports through ASP.NET web application on IIS

    Question

  • Hello,

    We are running SQL Server 2008 R2 in Integrated Security mode and our reports were built with Report Builder 3.0.

    Our users access the reports through an ASP.NET IIS web application. The web application recovers the user's login "AD\UserName" that we use to determine which reports he or she can see.  The reports are displayed on the web page using

    <img src="http://Server/ReportServer/Pages/ReportViewer.aspx?/TestReport&rs:Format=IMAGE&rc:OutputFormat=png">

    Apparently this access method sends the user's credentials "AD\UserName" to Report Server for determining access permissions, instead of using a generic IIS Admin Service logon. 

    Currently in Report Manager we've added permissions to everyone to see all reports "AD\Domain Users", plus "BUILTIN\Administrators".  This is not ideal.  We want to find a solution without "AD\Domain Users", just using the IIS Admin Service account.

    We want to prevent our users from accessing the reports directly through Report Manager, for example by finding the URL on the web page and navigating to it. We want to manage access to the reports strictly through the web application.

    Is there a way to force access through the web application only, using the IIS Admin Service's login instead of the user's credentials?  We would like to remove "AD\Domain Users" from Report Manager and force all access through the web application's IIS login.

    Can you help us set up the permissions correctly between the web application and Report Server?

    Thanks for your help!


    Best regards, Christopher Sorensen

    Wednesday, August 18, 2010 3:48 PM

Answers

  • Hi Crhistopher,

    Based on your description, you want to prevent the end-users from accessing the reports directly through the Report Manager. You just want to enable the account the web application is running under to access the reports in the Report Server. If I have misunderstood, please don't hesitate to let me know.

    Before giving you the solution, I would like to inform you how the ASP.NET application access a Reporting Service.
    By default, every call to Reporting Services must be an authenticated call. This means every call to the Reporting Services must has a valid credential. This require us to determine what DefaultCredentials represents in an ASP.NET environment. In a default installation, with no impersonation in place, DefaultCredentials will be the credentials for the ASP.NET process. The ASP.NET process runs as the ASPNET account (in IIS 5.0), or the NETWORK SERVICE account (in IIS 6.0). At this point we need to break down the scenario into local reporting server versus remote reporting server environments.

    • Local Server(Web application is in the same server the Report Server)
      In this scenario, we can use the ASPNET or the NETWORK SERVICE to access the Report Server if we have assgin permissions for these accounts throught the Report Manager.
    • Remote Server(Web application is in a different server with the Report Server)
      In this scenario, since the the ASPNET or the NETWORK SERVICE is local account, the ASP.NET application will use the Anonymous Account or th Computer Account to access the Report Server.

    So, we will have the following solutions to achieve the target you mentioned:

    • Disable ASP.NET impersonate for the application throught IIS manager, configure the application to run under a domain account, and configure the domain account the permissions to access the Report Server
    • Enable ASP.NET impersonate for the application throught IIS manager, configre an impersonated account in the configuration file, then configure this account the permissions to access the Report Server

    Please note, these solutions will run the ASP.NET under the context of the account we configured. This means the application will use this account to access all resources the application accesses.
    In order to avoid this restriction, we can create another new page in another application to host the exported report image, and run this application in another application pool.

    For more information, please see:
    ASP.NET Impersonation: http://msdn.microsoft.com/en-us/library/xh507fc5.aspx
    Authentication, Role-based Security, and SQL Reporting Services Web Services: http://odetocode.com/articles/216.aspx

    If you have any more questions, please feel free to ask.

    Thanks,
    Jin Chen

     


    Jin Chen - MSFT
    Friday, August 20, 2010 8:00 AM
    Moderator

All replies

  • Hi Crhistopher,

    Based on your description, you want to prevent the end-users from accessing the reports directly through the Report Manager. You just want to enable the account the web application is running under to access the reports in the Report Server. If I have misunderstood, please don't hesitate to let me know.

    Before giving you the solution, I would like to inform you how the ASP.NET application access a Reporting Service.
    By default, every call to Reporting Services must be an authenticated call. This means every call to the Reporting Services must has a valid credential. This require us to determine what DefaultCredentials represents in an ASP.NET environment. In a default installation, with no impersonation in place, DefaultCredentials will be the credentials for the ASP.NET process. The ASP.NET process runs as the ASPNET account (in IIS 5.0), or the NETWORK SERVICE account (in IIS 6.0). At this point we need to break down the scenario into local reporting server versus remote reporting server environments.

    • Local Server(Web application is in the same server the Report Server)
      In this scenario, we can use the ASPNET or the NETWORK SERVICE to access the Report Server if we have assgin permissions for these accounts throught the Report Manager.
    • Remote Server(Web application is in a different server with the Report Server)
      In this scenario, since the the ASPNET or the NETWORK SERVICE is local account, the ASP.NET application will use the Anonymous Account or th Computer Account to access the Report Server.

    So, we will have the following solutions to achieve the target you mentioned:

    • Disable ASP.NET impersonate for the application throught IIS manager, configure the application to run under a domain account, and configure the domain account the permissions to access the Report Server
    • Enable ASP.NET impersonate for the application throught IIS manager, configre an impersonated account in the configuration file, then configure this account the permissions to access the Report Server

    Please note, these solutions will run the ASP.NET under the context of the account we configured. This means the application will use this account to access all resources the application accesses.
    In order to avoid this restriction, we can create another new page in another application to host the exported report image, and run this application in another application pool.

    For more information, please see:
    ASP.NET Impersonation: http://msdn.microsoft.com/en-us/library/xh507fc5.aspx
    Authentication, Role-based Security, and SQL Reporting Services Web Services: http://odetocode.com/articles/216.aspx

    If you have any more questions, please feel free to ask.

    Thanks,
    Jin Chen

     


    Jin Chen - MSFT
    Friday, August 20, 2010 8:00 AM
    Moderator
  • Hi Jin Chen,

    Thank you for this detailed answer! At our site, we are using the Remote Server scenario where the Web application is on a different server than the Report Server.

    I plan to read the articles you mentioned and talk this over with our development team.

    Thanks again for your quick reply.

    Christopher


    Best regards, Christopher Sorensen
    Friday, August 20, 2010 1:58 PM
  • Hi, do you want something like this ?
    Alexei Cioina
    Friday, August 20, 2010 2:33 PM