ReportViewer 2010 in Remote Mode, Windows Authentication not working

Question

Hi,

I'm having a problem accessing SSRS reports in Remote Mode. Will appreciate if someone can give a clue / guide as to what is actually going on in here.

Following is my environment: 

1. I have a web application (.NEt 2.0) that needs to connect to the ReportServer 2005 and render the report using the ReportViewer control for ASP.NET 2.0.

2. I successfully deployed my web application and regular pages are being rendered fine on IIS 5.1 (hosted on Win XP)

3. The report was also deployed on the Report Server 2005 and is accessible using the SSRS 2005 interface.

4. I have setup the following in my web.config file: 

<authentication mode="Windows"/>

<identity impersonate="true" />

 

Now the issue:

If I run this in my local environment the ReportViewer control renders the report fine, but if I deploy my app on IIS 5.1 (point 2 above) It gives me the error:

"The request failed with HTTP status 401: Unauthorized."

 

The interesting thing is that, if I modify the web.config with the following, the application is rendered fine on both the environments. 

 

<authentication mode="Windows"/>

<identity impersonate="true" userName="MyWindowsUserId" password="MyPassword" />

I have stumbled upon a blog that states that is related to a double hop issue. Is this the case? Also IIS 5.1 does not have app pool, but I can have my application work on windows authentication when I explicitly supply it the User Id and Password.

Thanks in advance!

Answer 1

Hello Mustafa. It does sound like you are experiencing the double hop issue. Your access of the IIS server is the first hop in NTLM, then the IIS server to the report server is the second hop, and in NTLM, your Windows credentials can't be delegated to the second hop. This is the behavior of Windows integrated authentication using NTLM.

When you're running your project on your development machine, you're accessing your own machine (the development server), so there's no hop, and the access to the report server is the first hop.

To get around this, by default ReportViewer in remote mode uses the user context of the ASP.NET worker process that is running your page when accessing the report server (not impersonating your user context). When you explicitly supply the impersonation identity, the report server access is considered as a first hop again, which is why it succeeds.

It's possible to avoid the double hop issue altogether in Windows authentication by using Kerberos, but this would be very heavy-handed and it might not be the option you'd want to consider (e.g. domain admininstration privileges, SPNs, identity delegation, etc).

---

Cephas Lin This posting is provided "AS IS" with no warranties.