locked
401:Unauthorized RRS feed

  • Question

  • I have a problem when want to preview reporting service report from reportviewer with 401:Unauthorized message.

    Environment:-
    - Application  (ASP.net) run from Web Server A
    - Reporting Service run from Web Server B
    - Both server configured with windows authentication
    - application added with  <identity impersonate="true"/> in the web.config
    - We want to use windows authentication.

    Senario:-
    - A) When running the application from Sever A, No Problem.
    - B)When running the appliocation from Client pc, 401:Unauthorized.

    Checking:
    - For senario A, we check Server A and B IIS log, user credential passed to both server.
    - For senario B, creatdential only apprear at Server A, not server B ( that's y Unauthorized).

    Try Out:
    - A) We have tried some code where adding username and password to the <identity impersonate setting. Doing so, it is working fine.
    - B) create CustomReportCredential class and passwing the UserName and Password. It is working.

    As you notice try out A and B also using hardcoded Username and Password. But what we want is the Credential should based on the User that using the application that's why we want to use Windows Authentication. If hardcode Username and Password it will defeat the purpose.

    Is the the problem in Report Service or IIS?

    Can someone give us some light ?
    Monday, April 6, 2009 12:29 AM

Answers

  • Hi maven_cko,

     

    In this case, we need to determine what DefaultCredentials represents in an ASP.NET environment firstly.

     

    For scenario B, the web application makes web service calls to a remote report server. There are additional complications. If you are using impersonation, there is a one-hop limit with NTLM authentication. The client’s credentials make one hop from the client machine to the web server, and ASP.NET can use these credentials to impersonate the client on the same machine only. For ASP.NET to use the credentials on another remote machine would require the credentials to make a second hop, which does not happen - the call will go to the remote machine with the credentials of the ASP.NET process instead. Since the ASP.NET process runs under a local machine account by default, the remote server will not authenticate the credentials and the call will fail with an access denied message.

     

    If you want the Credential based on the user that using the application, make the web services calls in remote mode, and do not want to use hardcode username and password, you can use the Kerberos to authentication.

     

    To use Kerberos, please see ‘configure an ASP.NET application for a delegation scenario’ and ‘Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

     

    For more information about Authentication, Role-based Security about SQL Reporting Services Web Services, please see ‘Authentication, Role-based Security, and SQL Reporting Services Web Services

     

    If there is anything unclear, please feel free to let me know.

     

    Thanks,

    Jin


    Jin Chen - MSFT
    Thursday, April 9, 2009 1:08 AM