none
ReportViewer, Forms Authentication and Impersonating Authenticated User RRS feed

  • Question

  • I am using Forms Authentication against AD and everything is working perfectly.  I have a reportviewer control that I would like to impersonate the authenticated user when making the report request.  Seems easy enough, and there are all sorts of combinations available, but I am at a loss to *easily* accomplish this.  When using just the normal Impersonate="true" in web.config, it impersonates the service account asp runs as.  In order to impersonate with reportviewer the only way I see to get the credentials in there is to know the username / password / domain.   I found a solution that accomplishes this (by encrypting all three and putting them in a cookie, then decrypting them on the return call to put in the ServerCredentials).

    Note - RS is running out of the box, in native (non sharepoint) mode, using Windows Authentication.  I need to keep it this way as users will still be hitting the native Portal and I do not want to penalize them to enter their credentials each time they visit.

    I imagine this scenario is covered in the design of RS, but I just haven't figured out how to do it.  If anyone can offer suggestions I am all ears.  :)

    Thanks in advance,
    John
    Monday, October 25, 2010 5:45 PM

Answers

  • Hi John,

    Based on your description, I understand that you have a web application, which is configured to use Forms Authentication. In the web application, you want to use reportviewer control to render a report server report, and the report server is configured to user Windows Authentication. Now, you want to know how to impersonate the client's credential to the report server. If I have misunderstood, please don't hesitate to let me know.

    By default, a web application is running under the application pool identity. If the 'Impersonate' is enabled, it will try to impersonate the client's credential to access remote resource. However, in this case, since the web application is configured to use Forms Authentication, there is no valid Windows credential to be impersonated.
    So, we need to pass a Windows credential(NewworkCredential with username/password/domain) to the report server explicitly. This solution is actually the one you mentioned.

    Another possible workaround is that:

    1. Create a new web application, which is using Windows Authentication.
    2. In this new web application, use the reportviewer control to render the report.
    3. In the original web application, use IFrame to show the new web application to show the report.

    This workaround allows the user to access the report without implementing any code. However, there is a limitation, if the end-user know the address of the new web application, they can access it directlly without logging in the original web application.
    Of course, there are some network solutions that can restrict the end-user to access the new application directly.

    For your reference, there is an article describes how to impersonate a user explictly:
    http://support.microsoft.com/kb/306158

    If you have any more questions, please feel free to ask.

    Thanks,
    Jin Chen


    Jin Chen - MSFT
    • Marked as answer by John Hennesey Wednesday, October 27, 2010 1:07 PM
    Wednesday, October 27, 2010 8:45 AM
    Moderator
  • Jin- Thank you for your response.  I was (incorrectly) thinking that with Forms Authentication it was possible to pass the token/credentials to the ReportViewer control, which would take care of the plumbing for me.  I understand now why it won't...  Thank you for the workaround suggestion, after reading your post I decided to use the solution posted here: http://adventuresinsoftware.com/blog/?p=539

    Thanks again,
    John

    • Marked as answer by John Hennesey Wednesday, October 27, 2010 1:07 PM
    Wednesday, October 27, 2010 1:07 PM

All replies

  • Hi John,

    Based on your description, I understand that you have a web application, which is configured to use Forms Authentication. In the web application, you want to use reportviewer control to render a report server report, and the report server is configured to user Windows Authentication. Now, you want to know how to impersonate the client's credential to the report server. If I have misunderstood, please don't hesitate to let me know.

    By default, a web application is running under the application pool identity. If the 'Impersonate' is enabled, it will try to impersonate the client's credential to access remote resource. However, in this case, since the web application is configured to use Forms Authentication, there is no valid Windows credential to be impersonated.
    So, we need to pass a Windows credential(NewworkCredential with username/password/domain) to the report server explicitly. This solution is actually the one you mentioned.

    Another possible workaround is that:

    1. Create a new web application, which is using Windows Authentication.
    2. In this new web application, use the reportviewer control to render the report.
    3. In the original web application, use IFrame to show the new web application to show the report.

    This workaround allows the user to access the report without implementing any code. However, there is a limitation, if the end-user know the address of the new web application, they can access it directlly without logging in the original web application.
    Of course, there are some network solutions that can restrict the end-user to access the new application directly.

    For your reference, there is an article describes how to impersonate a user explictly:
    http://support.microsoft.com/kb/306158

    If you have any more questions, please feel free to ask.

    Thanks,
    Jin Chen


    Jin Chen - MSFT
    • Marked as answer by John Hennesey Wednesday, October 27, 2010 1:07 PM
    Wednesday, October 27, 2010 8:45 AM
    Moderator
  • Jin- Thank you for your response.  I was (incorrectly) thinking that with Forms Authentication it was possible to pass the token/credentials to the ReportViewer control, which would take care of the plumbing for me.  I understand now why it won't...  Thank you for the workaround suggestion, after reading your post I decided to use the solution posted here: http://adventuresinsoftware.com/blog/?p=539

    Thanks again,
    John

    • Marked as answer by John Hennesey Wednesday, October 27, 2010 1:07 PM
    Wednesday, October 27, 2010 1:07 PM