locked
SOAP Exception - permissions RRS feed

  • Question

  • User1510859543 posted

    We have an asp.net application that produces PDF output from SSRS (SQL 2016) using Reporting Services. It works great but when we try to use the same process in another web app on the same server we are getting the following exception error.  The web app that is working is an intranet windows auth app and the one that is not working is a more public app. The rest of the public app works fine but when I try to save a PDF report I get the exception below in event log.

    Process information: 
        Process ID: 8532 
        Process name: w3wp.exe 
        Account name: IIS APPPOOL\.NET v4.5 
     
    Exception information: 
        Exception type: SoapException 
        Exception message: System.Web.Services.Protocols.SoapException: The permissions granted to user 'NT AUTHORITY\IUSR' are insufficient for performing this operation. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'NT AUTHORITY\IUSR' are insufficient for performing this operation.
       at Microsoft.ReportingServices.Library.ReportExecution2005Impl.LoadReport(String Report, String HistoryID, ExecutionInfo3& executionInfo)
       at Microsoft.ReportingServices.WebServer.ReportExecutionService.LoadReport(String Report, String HistoryID, ExecutionInfo& executionInfo)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.Reporting.WebForms.Internal.Soap.ReportingServices2005.Execution.ReportExecutionService.LoadReport(String Report, String HistoryID)
       at FilesClass.CreatePDFReport(String strReportName, Int32 intRecordID, Int16 intType) in C:\inetpub\wwwroot\RepairTrak\App_Code\FilesClass.vb:line 342
       at orders_FinalBillReports.Page_Load(Object sender, EventArgs e) in C:\inetpub\wwwroot\RepairTrak\Repairs\FinalBillReports.aspx.vb:line 71
       at System.Web.UI.Control.OnLoad(EventArgs e)
       at System.Web.UI.Control.LoadRecursive()
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
    

    Wednesday, July 8, 2020 10:17 PM

Answers

  • User1535942433 posted

    Hi dlchase.

    As far as I think, you could do this:

    1.Open IIS Manager and select Web Site which have made Anonymous and selected 'Edit Permissions’ on top right corner.

    2.Click on the 'Security' tab --> 'Edit' (under groups and users) --> 'Add' (under groups and users). This brings you to the 'Select Users, Computers, Service Accounts, or Groups' window.

    3. Click on the 'Object Types...' button and just select everything and hit 'OK'.

    4. Next, click on 'Locations ...' and select the parent-most option (this will most likely be the server itself) and hit 'OK'

    5.Next, click on the 'Advanced' button and select the 'Find Now' button.

    6.You will see several search results. Within this list, you will find the IUSR username. Select it, and hit 'OK' and grant him FULL permissions.

    7. Go to IIS and select your site-->Authentication and then select "Anonymous Authentication".

    8. Click "Edit" at top right hand side, from the popup menu select "Application Pool Identity" radio button and Click OK.

    Best regards,

    Yijing Sun

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 9, 2020 2:46 AM

All replies

  • User1535942433 posted

    Hi dlchase.

    As far as I think, you could do this:

    1.Open IIS Manager and select Web Site which have made Anonymous and selected 'Edit Permissions’ on top right corner.

    2.Click on the 'Security' tab --> 'Edit' (under groups and users) --> 'Add' (under groups and users). This brings you to the 'Select Users, Computers, Service Accounts, or Groups' window.

    3. Click on the 'Object Types...' button and just select everything and hit 'OK'.

    4. Next, click on 'Locations ...' and select the parent-most option (this will most likely be the server itself) and hit 'OK'

    5.Next, click on the 'Advanced' button and select the 'Find Now' button.

    6.You will see several search results. Within this list, you will find the IUSR username. Select it, and hit 'OK' and grant him FULL permissions.

    7. Go to IIS and select your site-->Authentication and then select "Anonymous Authentication".

    8. Click "Edit" at top right hand side, from the popup menu select "Application Pool Identity" radio button and Click OK.

    Best regards,

    Yijing Sun

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, July 9, 2020 2:46 AM
  • User1510859543 posted

    Did all of your steps and now the exception is showing for IIS APPPOOL (see below).  Could not find a user with that name to repeat steps you gave me.

    An unhandled exception occurred:
    Message: System.Web.Services.Protocols.SoapException: The permissions granted to user 'IIS APPPOOL\.NET v4.5' are insufficient for performing this operation. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'IIS APPPOOL\.NET v4.5' are insufficient for performing this operation.
       at Microsoft.ReportingServices.Library.ReportExecution2005Impl.LoadReport(String Report, String HistoryID, ExecutionInfo3& executionInfo)
       at Microsoft.ReportingServices.WebServer.ReportExecutionService.LoadReport(String Report, String HistoryID, ExecutionInfo& executionInfo)
    
     Stack Trace:
       at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
       at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
       at Microsoft.Reporting.WebForms.Internal.Soap.ReportingServices2005.Execution.ReportExecutionService.LoadReport(String Report, String HistoryID)
       at FilesClass.CreatePDFReport(String strReportName, Int32 intRecordID, Int16 intType) in C:\inetpub\wwwroot\RepairTrak\App_Code\FilesClass.vb:line 342
       at orders_FinalBillReports.Page_Load(Object sender, EventArgs e) in C:\inetpub\wwwroot\RepairTrak\Repairs\FinalBillReports.aspx.vb:line 71
       at System.Web.UI.Control.OnLoad(EventArgs e)
       at System.Web.UI.Control.LoadRecursive()
       at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) Host = smtp.office365.com
    

    Then, I tried bypassing your step 8 and set to "Specific user" and selected a good network user account and all worked great with no error!

    Thursday, July 9, 2020 2:08 PM
  • User475983607 posted

    The ".NET v4.5" identity does not have sufficient rights to access the remote service.  Contact the service owners for assistance on what domain account to use and general information on how the SOAP security is designed to work. 

    Perhaps change the Identity to the Network Service account.  The community has not way to answer this question accurately. 

    Thursday, July 9, 2020 2:35 PM
  • User1510859543 posted

    See my comment about step 8 that resolved the issue. Thanks.

    Thursday, July 9, 2020 2:37 PM
  • User475983607 posted

    See my comment about step 8 that resolved the issue. Thanks.

    You should still contact the service owners.  Selecting an arbitrary domain account is not a good approach.

    Thursday, July 9, 2020 2:39 PM
  • User1510859543 posted

    Since I am the service provider what are my options?  If I use "Application Pool Identity" it throws the error. If I use a user account it works.

    Would creating a separate app pool be better?

    Thursday, July 9, 2020 3:36 PM
  • User475983607 posted

    Since I am the service provider what are my options?  If I use "Application Pool Identity" it throws the error. If I use a user account it works.

    Would creating a separate app pool be better?

    The "Application Pool Identity" most likely does not work because the SOAP service is remote to the web app.   Unfortunately,  the security solution depends on your SOAP security requirements which seem undefined or arbitrary.   

    The Network Service account authenticates the machine to authenticate.  Another option is creating a service account with the proper rights to make a remote call.  Use the service account as the Identity.  

    Thursday, July 9, 2020 3:52 PM
  • User1510859543 posted

    Does it matter in your solution that SQL Server, Web apps and Reporting Service all run on the same server?

    Thursday, July 9, 2020 5:51 PM
  • User475983607 posted

    Does it matter in your solution that SQL Server, Web apps and Reporting Service all run on the same server?

    It matters because you do not need an account with network access.  Frankly, this is not a question for an ASP.NET forum.  You really need to get with your system admin to discuss how you want your security to work.  If you are the system admin then I'm not sure what to tell ya.  Perhaps just use the account that you know works and move on.

    Thursday, July 9, 2020 6:03 PM