locked
RSPreviewPolicy.config settings not working for SSRS report custom assembly. RRS feed

  • Question

  • I am attempting to add a custom assembly (.NET 4.5.1) that requires fulltrust permissions.  I have attempted changing RSPreviewPolicy.config in C:\Program Files (x86)\Microsoft Visual Studio 14.0\common7\idE\privateAssemblies for VS2015 and C:\Program Files (x86)\Microsoft Visual Studio\2017\Professional\Common7\IDE\CommonExtensions\Microsoft\SSRS for VS2017.  Changing RSPreviewPolicy.config seems to have no effect as I continue to get security errors.  If anyone can offer any guidance or suggests, it would be appreciated.

    This is what the entry looks like:

    <CodeGroup 
       class="UnionCodeGroup"
       version="1"
       PermissionSetName="FullTrust"
       Name="KADECodeGroup"
       Description="Kadence Extensions">
      <IMembershipCondition
    class="StrongNameMembershipCondition"
    version="1"
    PublicKeyBlob="0024000004800000940000000602000000240000525341310004000001000100f9b68bec6b7aaededf30a33f1a79301430772c3f168d126ce68f6fddc37a451cec9587e18a164f250138c4fd89aad666232ef1433a916de1a7440dbd92c7be185958cf2ce91b3e92c92efd60ab1ec179397d4c2d463ce87883d550125c0ded618ef073e7014e3f0d8e65ca87fb421ae87e6de8459edbaecdf815506f701a4795"
       />
    </CodeGroup>


    </CodeGroup>

    Thursday, February 1, 2018 8:35 PM

All replies

  • Hi,

    You also need to modify the report server Web.config file and the report server ReportService.exe.config file. The entry might look like the following:

    <configuration>  
       <runtime>  
          <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">  
             <dependentAssembly>  
                <assemblyIdentity name="myAssembly"  
                                  publicKeyToken="32ab4ba45e0a69a1"  
                                  culture="neutral" />  
                <bindingRedirect oldVersion="1.0.0.0"  
                                 newVersion="2.0.0.0"/>  
             </dependentAssembly>  
          </assemblyBinding>  
       </runtime>  
    </configuration>  

    Reference: Deploying a Custom Assembly

    How to grant permissions to a custom assembly that is referenced in a report in Reporting Services

    Friday, February 2, 2018 9:27 AM
  • Thanks, that info is useful for deployment, and it doesn't work either, but I'm specifically trying to get preview working first.  I believe I've followed all the current documentation but the report server essentially behaves as though I haven't made any changes to it's config files.
    Friday, February 2, 2018 4:17 PM
  • Hi,

    Thank you for your reply. Custom assemblies in SSRS allow for report developers to program code using a DotNet language within a separate object from the SSRS report itself. The coding can be completed in Visual Basic or C and allows for consistent code reuse and simplified maintenance of standard code across multiple reports and projects.

    You could follow this tutorial to do the custom assembly: https://www.mssqltips.com/sqlservertip/3224/sql-server-reporting-services-custom-code-assemblies/

    BR,

    Henry 

    Tuesday, February 6, 2018 8:55 AM
  • Henry,

    thanks for the tutorial link.  The issue is not that I need to know how to add assemblies to an SSRS report but rather that I'm unsuccessful  giving the assembly the proper permission.  I believe I've followed all the MSDN instructions on this with regards to the RSPreviewpolicy.config (for VS) and rssrvpolicy.config (for SSRS) and  but I still get security errors.

    i.e., 

    Assembly 'expression_host_5ec62b19f83f432d8f56f7312cbba842, Version=12.3.1016.33, Culture=neutral, PublicKeyToken=null' is partially trusted, which causes the CLR to make it entirely security transparent regardless of any transparency annotations in the assembly itself.  In order to access security critical code, this assembly must be fully trusted.

    thanks for any additional help/advice you can offer.

    Tuesday, February 6, 2018 5:42 PM
  • Hi,

    Thank you for your reply. 

    In SQL Server, CLR code running inside of SQL Server (i.e. "SQLCLR") is highly restricted so as to not degrade security or stability of SQL Server. In your scenario, if you want to use a external custom library, you need to set the assembly to unsafe.

    For your requirement, please refer to the following steps:

    Set the database containing the Assembly to TRUSTWORTHY = ON. This assumes that the owner of the database has the UNSAFE ASSEMBLY server-level permission (which is typically the case). While this option is quicker / easier, it is not preferred due to TRUSTWORTHY = ON being a fairly wide-open security hole.

    Sign the Assembly with a password, create an Asymmetric Key from the Assembly, create a Login from the Asymmetric Key, grant the Login the UNSAFE ASSEMBLY permission. This is the preferred method.

    Reference:

    https://stackoverflow.com/questions/24153370/sql-clr-trigger-how-to-make-an-assembly-trusted-due-to-transparent-code-call-cr

    BR,

    Henry 

    Wednesday, February 7, 2018 2:25 AM
  • Henry,

    again, thanks for the info.  Unfortunately, I'm not creating an SQLCLR assembly.  I'm creating an SSRS assembly, which is a completely different thing and, in the case of SQL2017/SSRS2017, different products.

    I have signed my assembly, placed it in the GAC, etc.  I will try marking the assembly as unsafe and see if that helps.

    thanks,

    Thursday, February 8, 2018 4:58 PM