Server Report with Data Source Extension that calls into WCF WSHttpBinding is failing. A 'Code' field with the same WCF call works fine though RRS feed

  • Question

  • Hi

    Here is the environment I am having this issue in

    - ASP.NET 3.x
    - Server Report
    - FullTrust configured
    - ASP.NET web.config configured with 

        <authentication mode="Windows"/>
        <identity impersonate="true"/>

    - From within Visual Studio 2008 IDE Debug Environment
    - IE7
    - Server Report contains a dataset configured with a Data Source Extension writting in a DLL (DLL configured with 'FullTrust' in the policy config file)
    - The datasource code in DLL connects to a WCF service to return back a 'DataTable'
    - Server Report contains the following field that is 'bound' to that returned 'DataTable'

          =First(Fields!ResultOfCall.Value, "DataSet1");

    - The report also has another 'Code' field with a call into the same WCF service as follows:


    - The WCF endpoint with WSHttpBinding; WCF Operation being called is configured with a

          'Impersonation = ImpersonationOption.Required'

    The DLL is calling the WCF operation with

    webService.ClientCredentials.Windows.AllowedImpersonationLevel =  

    From the SQL Server Business Intelligence Dev Studio,  Preview tab everything works fine.  The Data Source Extension returns back the Data Table fine and the field is populated with the correct data from the WCF call. 

    But the same report from my web application or the SRSS Report Manager is failing with the following message for the '=First(Fields!ResultOfCall.Value, "DataSet1");' field.  Where as, the WCF call from the 'Code' field works fine.

            The caller was not authenticated by the service.The request for security token could not be 
    satisfied because authentication failed.

    My question is:

    Is there any configuration that I am missing?  I had a similar problem with a 'LocalReport' that I fixed using the LocalReport.AddTrustedCodeModuleInCurrentAppDomain method.  Is there anything equivalent for the ServerReport.

    I really appreciate any help or pointers regarding this issue.

    - Athadu

    Friday, October 23, 2009 4:11 PM

All replies

  • Here are my findings related to this issue - If someone could validate/confirm this - that would be great!

    I have the Remote Server Report being generated in the following scenario - with Windows Authentication and Impersonation turned on in Report Server as well as my WCF Web Service

           Client Application (Report Manager web App) on Desktop A - impersonating and connecting to Report Server on Server A - impersonating and connecting to WCF Web Service Server on Server B 

    Because of the many (two) ‘hops’, the second Impersonation is not working – due to the following explanation  from the msdn link


    The network environment determines the kinds of connections you can support. For example, 
    if the Kerberos version 5 protocol is enabled, you might be able to use the delegation and
    impersonation features available in Windows Authentication to support connections across multiple
    servers. If your network does not support these security features, you will need to work around
    connection constraints. If delegation and impersonation are not enabled, Windows credentials can
    be passed across one computer connection before they expire. A user connection to a report server
    counts as the first connection. If the user opens a report that retrieves data from a remote server,
    that login counts as a second connection and will fail if you specified the connection to use
    integrated security when delegation is not enabled.

    As  a workaround, I have to either use a specific account at the first or the second hop; or host both the Report Server as well as the WCF Web Service on the same physical server.

    Tuesday, October 27, 2009 8:32 PM