none
Access denied to ReportServer and Reports, works locally but fails remotely

    Question

  •  

    I am getting the error:

     

    HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials.
    Internet Information Services (IIS)

     

    when I attempt to connect to Reports or ReportServer from my desktop, but it works normally when I login with the same userid and run it directly on the server, using IE.  It is prompting me for a login 2 or 3 times before failing.

     

    My configuration is:

     

    Report Server system: 

    Windows Server 2003 R2 SP2 - 32bit

    SQL Server 2005 Reporting Services Enterprise Edition

    Windows & Web Service run as a domain account

    Database connection is using domain account - not in db_owner, but in RSExec roles

    Database is on another server, and is Native, not SharePoint integrated

    Reports & ReportServer are in a separate application pool

    Reporting Services had SP2 installed before it was configured

    The Rport Server is a VM

     

    Database server

    Windows Server 2003 R2 SP2 - x64        

    SQL Server 2005 Enterprise Edition 64bit

    Version 9.00.3200.00

     

    The Report Manager was not working at all, and I discovered that there was no entry in the .Net Framework version on the APS.Net tab in properties for the Reports virtual directory.    I am not seeing any errors or anything unusual in the Event log or in the ReportServer log files.

     

    FrontPage 2002 extensions were installed, and then removed.  I noticed that this installed a SharePoint virtual directory, and that disappeared when I removed FrontPage extensions.

     

    The domain group my userid is in is in the local Administrators group on the ReportServer system, and I have added this group as a System Administrator and Content Manager through the report Manager.

     

    I would greatly appreciate any suggestions.

     

    Thanks,

    Bill

    Thursday, May 15, 2008 10:27 PM

All replies

  • Do you use Kerberos or NTLM Authentication? One thing that might be happening is that you can authenticate from one machine to another, but you can't make the double-hop needed to go from your client machine the the report server to the database server.

     

    Just a guess,

    Thursday, May 15, 2008 11:33 PM
  • It is using NTLM for the connection to the database, because the SPN is not set up on the SQL Server service. 

     

    It seems odd that enabling Kerberos would make a difference, because I typically only grant access to the ReportServer and ReportServerTempDB databases to the login that the ReportServer connects as.  In other installations, I can add Domain Users to the Browser role and not grant any access to the ReportServer database, and users don't have any problems.

     

    I was planning to setup the SPN anyway, so I will see if that makes a difference.

    Friday, May 16, 2008 2:51 AM
  • I have exactly the same problem in a slightly different setup.

     

    What do you mean by saying "I can add Domain Users to the Browser role and not grant any access to the ReportServer database"? What is this "Browser role". And where can I add users (preferable groups) to this role? Would this fix the problem in the end?

     

    We're running SSRS in SharePoint integrated mode on a MOSS 2007.

     

    Kind Regards

     

    Thomas

    Friday, May 16, 2008 9:30 AM
  •  

    I don't think the normal Report Manager works when you are in SharePoint integrated mode, so how you manage permissions will probably be a little different.

     

    In the normal Report Manager I didsplay the properties of the 'Home' folder, click the 'New Role Assignment' button in the menu bar, and add the domain group or user.  Your userid may need to be added to the 'System Administrators' role under 'Site Settings' -> 'Configure site-wide security' -> 'New Role Assignment' before you can manage user access.  Typically, BUILTIN\Administrators is already setup as a System Administrator and Content Manager.  If your userid is in the local Administrators group, you should already have ability to manage these things. 

     

    I am not sure how this looks with SharePoint, though.

    Friday, May 16, 2008 2:16 PM