locked
Windows & Forms Based Authentication RRS feed

  • Question

  • Is it possible to configure a single Report Server instance to use both Windows and Forms Based Authentication?  I am unable to find useful and straight forward on this topic.
    Monday, June 11, 2012 7:12 PM

Answers

  • After contacting Microsoft I was able to get this working. 

    Our environment:

    SharePoint 2007 Enterprise
    SSRS 2008 R2 running in SharePoint integration mode

    We have a windows authenticated website (http://ntwebsite) which is used internally.  We also have a forms based authentication website (http://fbawebsite) which is just an extension of the first website.  They both have the same content, the login is different.  The ntwebsite is the parent site, while the fbawebsite is considered the child site.

    The problem was that I gave the fba user rights to the document library the reports were stored in, which gave them access to the .rdl file, but I did not make the user a visitor of the ntwebsite, which is where the user gets rights to the Report Server.  So the user was able to click on the report and receive the following error:

    Exception Type: System.Web.Services.Protocols.SoapException
    Exception Message: System.Web.Services.Protocols.SoapException: The permissions granted to user 'membershipprovider:xyz' are insufficient for performing this operation. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'membershipprovider:xyz' are insufficient for performing this operation. at Microsoft.ReportingServices.WebServer.ReportingService2005Impl.GetPermissions(String Item, String[]& Permissions) at Microsoft.ReportingServices.WebServer.ReportingService2006.GetPermissions(String Item, String[]& Permissions)
    Exception Source: System.Web.Services
    Exception Target Site: ReadResponse

    ---- Stack Trace ----
    System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(message As SoapClientMessage, response As WebResponse, responseStream As Stream, asyncCall As Boolean)
    (unknown file): N 431766
    System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(methodName As String, parameters As Object[])
    (unknown file): N 00204
    Microsoft.SqlServer.ReportingServices2006.ReportingService2006.GetPermissions(Item As String)
    (unknown file): N 00050
    Microsoft.SqlServer.ReportingServices2006.RSConnection2006.GetPermissions(Item As String)
    (unknown file): N 00096
    Microsoft.ReportingServices.SharePoint.UI.ItemPermissions.GetPermissionFromServer()
    (unknown file): N 00077
    Microsoft.ReportingServices.SharePoint.UI.ItemPermissions.GetPermissions(itemPath As String)
    (unknown file): N 00100
    Microsoft.ReportingServices.SharePoint.UI.RSViewerPage.OnInit(e As EventArgs)
    (unknown file): N 00559
    System.Web.UI.Control.InitRecursive(namingContainer As Control)
    (unknown file): N 00333
    System.Web.UI.Page.ProcessRequestMain(includeStagesBeforeAsyncPoint As Boolean, includeStagesAfterAsyncPoint As Boolean)
    (unknown file): N 00378

    I was able to get this working by adding the fba user membershipprovider:xyz to the visitor group on the ntwebsite.

    This was a little confusing to myself and I hope I got the terminology correct.  Hope this helps somebody down the road.

     

    • Marked as answer by Edward Zhu Wednesday, June 13, 2012 1:37 AM
    Tuesday, June 12, 2012 5:32 PM

All replies

  • Hello ssb82,

    Based on our experience, we cannot configure Windows and Forms Based Authentication at the same time in rsreportserver.config file. If you read the MSDN article, you will find the following words.

    At least one authentication type must be specified. Multiple authentication types can be specified for RSWindows. RSWindows authentication types (that is, RSWindowsBasic,RSWindowsNTLM, RSWindowsKerberos, and RSWindowsNegotiate) are mutually exclusive with Custom.

    However, it is possible that we can design the custom module to handle the two authentication in custom code. We do not have the sample code, but the following articles on Internet are useful.

    http://www.codeproject.com/Articles/42428/ASP-NET-3-5-Custom-Windows-Authentication-using-VB
    http://msdn.microsoft.com/en-us/library/467h1csc.aspx

    I hope my suggestion is helpful to you.

    Regards,

    Edward


    Edward Zhu

    TechNet Community Support

    Tuesday, June 12, 2012 8:29 AM
  • After contacting Microsoft I was able to get this working. 

    Our environment:

    SharePoint 2007 Enterprise
    SSRS 2008 R2 running in SharePoint integration mode

    We have a windows authenticated website (http://ntwebsite) which is used internally.  We also have a forms based authentication website (http://fbawebsite) which is just an extension of the first website.  They both have the same content, the login is different.  The ntwebsite is the parent site, while the fbawebsite is considered the child site.

    The problem was that I gave the fba user rights to the document library the reports were stored in, which gave them access to the .rdl file, but I did not make the user a visitor of the ntwebsite, which is where the user gets rights to the Report Server.  So the user was able to click on the report and receive the following error:

    Exception Type: System.Web.Services.Protocols.SoapException
    Exception Message: System.Web.Services.Protocols.SoapException: The permissions granted to user 'membershipprovider:xyz' are insufficient for performing this operation. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'membershipprovider:xyz' are insufficient for performing this operation. at Microsoft.ReportingServices.WebServer.ReportingService2005Impl.GetPermissions(String Item, String[]& Permissions) at Microsoft.ReportingServices.WebServer.ReportingService2006.GetPermissions(String Item, String[]& Permissions)
    Exception Source: System.Web.Services
    Exception Target Site: ReadResponse

    ---- Stack Trace ----
    System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(message As SoapClientMessage, response As WebResponse, responseStream As Stream, asyncCall As Boolean)
    (unknown file): N 431766
    System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(methodName As String, parameters As Object[])
    (unknown file): N 00204
    Microsoft.SqlServer.ReportingServices2006.ReportingService2006.GetPermissions(Item As String)
    (unknown file): N 00050
    Microsoft.SqlServer.ReportingServices2006.RSConnection2006.GetPermissions(Item As String)
    (unknown file): N 00096
    Microsoft.ReportingServices.SharePoint.UI.ItemPermissions.GetPermissionFromServer()
    (unknown file): N 00077
    Microsoft.ReportingServices.SharePoint.UI.ItemPermissions.GetPermissions(itemPath As String)
    (unknown file): N 00100
    Microsoft.ReportingServices.SharePoint.UI.RSViewerPage.OnInit(e As EventArgs)
    (unknown file): N 00559
    System.Web.UI.Control.InitRecursive(namingContainer As Control)
    (unknown file): N 00333
    System.Web.UI.Page.ProcessRequestMain(includeStagesBeforeAsyncPoint As Boolean, includeStagesAfterAsyncPoint As Boolean)
    (unknown file): N 00378

    I was able to get this working by adding the fba user membershipprovider:xyz to the visitor group on the ntwebsite.

    This was a little confusing to myself and I hope I got the terminology correct.  Hope this helps somebody down the road.

     

    • Marked as answer by Edward Zhu Wednesday, June 13, 2012 1:37 AM
    Tuesday, June 12, 2012 5:32 PM