none
Web service request failed with HTTP status 401: Unauthorized in ssrs 2008 r2 RRS feed

  • Question

  • We have an issue in our production environment where accessing the web service end point - /ReportServer/ReportExecution2005.asmx fails with an 401 unauthorized error.

    If I access the http://<machine-name>/reportserver or http://<machine-name>/reports from a browser which is started under the same account as the one used to make the above explained web service request, I am able to view the reportserver/reports pages.

    To further troubleshoot this issue I enabled report server http logs and tried analyzing them. Here are some distinct differents

    HTTP Logs when accessing the http://<machine-name>/reports from a browser

    __________________________________________________________________________ 

    08/12/2011 13:01:15 - 151.149.240.105 20480 hofdvxncapsql1.kih.kmart.com GET /Reports/Pages/Report.aspx ?ItemPath=%2fTest 401 642 0 1.1 hydrogen.win.fms.net - - http://hydrogen.win.fms.net/Reports/Pages/Folder.aspx 

    08/12/2011 13:01:15 - 151.149.240.105 20480 hydrogen.win.fms.net GET /Reports/Pages/Report.aspx ?ItemPath=%2fTest 401 720 0 1.1 hydrogen.win.fms.net - - http://hydrogen.win.fms.net/Reports/Pages/Folder.aspx 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 381 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 435 15 1.1 localhost - - - 

    08/12/2011 13:01:15 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  200 819 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 357 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 435 0 1.1 localhost - - - 

    08/12/2011 13:01:15 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  200 819 16 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 358 15 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 436 0 1.1 localhost - - - 

    08/12/2011 13:01:15 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  200 862 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 363 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 441 0 1.1 localhost - - - 

    08/12/2011 13:01:15 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  200 930 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 357 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 435 0 1.1 localhost - - - 

    08/12/2011 13:01:15 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  200 819 15 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 357 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 435 0 1.1 localhost - - - 

    08/12/2011 13:01:15 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  200 1360 47 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 357 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 435 0 1.1 localhost - - - 

    08/12/2011 13:01:15 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  200 819 16 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 357 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 435 0 1.1 localhost - - - 

    08/12/2011 13:01:15 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  200 819 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 364 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 442 0 1.1 localhost - - - 

    08/12/2011 13:01:15 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  200 833 15 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 357 0 1.1 localhost - - - 

    08/12/2011 13:01:15 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 435 0 1.1 localhost - - - 

    08/12/2011 13:01:15 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  200 819 15 1.1 localhost - - - 

    08/12/2011 13:01:16 - 127.0.0.1 20480 localhost GET /ReportServer  401 47 0 1.1 localhost - - - 

    08/12/2011 13:01:16 - 127.0.0.1 20480 localhost POST /ReportServer/ReportExecution2005.asmx  401 516 0 1.1 localhost - - - 

    08/12/2011 13:01:16 - 127.0.0.1 20480 localhost POST /ReportServer/ReportExecution2005.asmx  401 594 0 1.1 localhost - - - 

    08/12/2011 13:01:16 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportExecution2005.asmx  200 987 640 1.1 localhost - - - 

    08/12/2011 13:01:17 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 363 0 1.1 localhost - - - 

    08/12/2011 13:01:17 - 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  401 441 0 1.1 localhost - - - 

    08/12/2011 13:01:17 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportService2010.asmx  200 918 16 1.1 localhost - - - 

    08/12/2011 13:01:17 - 127.0.0.1 20480 localhost POST /ReportServer/ReportExecution2005.asmx  401 510 0 1.1 localhost - - - 

    08/12/2011 13:01:17 - 127.0.0.1 20480 localhost POST /ReportServer/ReportExecution2005.asmx  401 588 0 1.1 localhost - - - 

    08/12/2011 13:01:17 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportExecution2005.asmx  200 1009 62 1.1 localhost - - - 

    08/12/2011 13:01:17 - 127.0.0.1 20480 localhost POST /ReportServer/ReportExecution2005.asmx  401 522 0 1.1 localhost - - - 

    08/12/2011 13:01:17 - 127.0.0.1 20480 localhost POST /ReportServer/ReportExecution2005.asmx  401 600 0 1.1 localhost - - - 

    08/12/2011 13:01:17 FMS\appuser 127.0.0.1 20480 localhost POST /ReportServer/ReportExecution2005.asmx  200 999 15 1.1 localhost - - - 

    08/12/2011 13:01:17 FMS\appuser 151.149.240.105 20480 hydrogen.win.fms.net GET /Reports/Pages/Report.aspx ?ItemPath=%2fTest 200 892 2671 1.1 hydrogen.win.fms.net - - http://hydrogen.win.fms.net/Reports/Pages/Folder.aspx 
    ____________________________________________________________________________

    HTTP logs when making the web service request from java

    ____________________________________________________________________________

    08/12/2011 11:42:07 - 151.149.240.105 20480 hydrogen.win.fms.net POST /ReportServer/ReportExecution2005.asmx  401 282 0 1.1 hydrogen.win.fms.net - - - 

    08/12/2011 11:42:07 - 151.149.240.105 20480 hydrogen.win.fms.net POST /ReportServer/ReportExecution2005.asmx  401 404 0 1.1 hydrogen.win.fms.net - - - 

    08/12/2011 11:42:07 - 151.149.240.105 20480 hydrogen.win.fms.net POST /ReportServer/ReportExecution2005.asmx  401 488 219 1.1 hydrogen.win.fms.net - - - 
    ____________________________________________________________________________

    As you can see, while making the web service request the username doesn't get evaluated.  Another strange fact is that, when making the request to the reports page from the browser, the request gets redirected to the loopback address and then again gets translated to the correct IP address.

    Any suggestions on how to move ahead for resolving this issue would be appreciated. Thank you. 

    Saturday, August 13, 2011 11:46 AM

Answers

  • I found the root cause of the issue. The root cause was that the server and domain had NoLMHashPolicy configured. This meant that windows would not store the LM hash value of the password. Since the NTLM protocol implementation we computed only the LM hash value and the NT Hash, the authentication failed. 

    The fix involves modifying the protocol implementation to compute the NT Response Hash before sending the Type3 message to the server.

    Thanks for the help.


    Technet Forum Issue
    • Marked as answer by Eileen Zhao Wednesday, September 7, 2011 3:01 AM
    Wednesday, August 31, 2011 2:02 PM

All replies

  • Hi Hi_i_am_Amit,

    Based on the error message that you have provided, please refer to the following links:

    Reporting Services 2008: "HTTP status 401: Unauthorized: http://forums.asp.net/t/1606942.aspx/1
    SQL Server Reporting Service (SSRS) - HTTP Status 401 Unauthorized Error: http://patelnirav.blogspot.com/2008/05/sql-server-reporting-service-ssrs-http.html

    Hope that helps you.

    Thanks,
    Eileen
    Monday, August 15, 2011 8:17 AM
  • Thanks Eileen for the reply. The first link sounds relevant to the error but the solution proposed in that link (I solved this by simply using the name of the server instead of the domain name) didn't solve my problem. i.e. Instead of passing the host name as hydrogen.win.fms.net I just passed hydrogen as the parameter value for host name and when specifying in the report server url. 
    Two other points which supports to this failure are that 
    1. when I navigate to http://hydrogen.win.fms.net/Reports/ page, the reports page gets displayed.  
    2. Accessing the report server through web service and through the browser are NOT done from the machine where the report server is installed. This was one point about loopback check that the article point out.
    So I think that the root cause of this issue might be different from the one specified on http://forums.asp.net/t/1606942.aspx/1.
    Please let me know if you have any more suggestions.

    Technet Forum Issue
    Monday, August 15, 2011 9:10 AM
  • On investigating the report server http logs further, I realized that the web service requests are http POST requests while the url request from the browser is a http GET request. 

    Is there any configuration property in the report server configuration files which could block http POST web service requests?


    Technet Forum Issue
    Tuesday, August 16, 2011 12:42 PM
  • I also enabled verbose logging for the report server and found the below statement in the ReportingServerService_<timestamp>.log file 

    http!rshost !d6c!<date-time>:: v VERBOSE: Authentication failed with error state: 14

    I tried researching more on error state 14 but wasn't able to find any information. Can someone throw some insight on this?


    Technet Forum Issue
    • Marked as answer by Hi_i_am_Amit Thursday, August 18, 2011 5:29 PM
    • Unmarked as answer by Hi_i_am_Amit Thursday, August 18, 2011 5:37 PM
    Tuesday, August 16, 2011 6:37 PM
  • While troubleshooting more on this issue, I realized that since SSRS 2008 uses the operating system component - HTTPSYS for authentication, I enabled its error logging with the hope to get a more detailed view of whats happening behind the scenes.

    But there were no error logs when the web service call was made. Does this mean that something else failed before http sys was called? Any detailed information on report server configuration would be helpful.


    Technet Forum Issue
    Thursday, August 18, 2011 5:36 PM
  • Another important update-

    On looking at the windows security event viewer logs, I realized that the value for the "User" property of event id - 529 is NTAuthority\System when a web service request is made, while it is FMS\appuser when the browser request is made. Looks like something critical. 

    Does anyone have any idea on what controls the value of the "User" property when log-on events are logged under windows security?


    Technet Forum Issue
    Saturday, August 20, 2011 6:22 PM
  • Hi Hi_iam_Amit,

    Please refer to links as below, and then check if it works for you.

    How to: Configure Windows Authentication in Reporting Services: http://msdn.microsoft.com/en-us/library/cc281253.aspx
    Security Event 529 is logged for local user accounts: http://support.microsoft.com/kb/811082

    Hope these information could help you.

    Thanks,
    Eileen

    Monday, August 22, 2011 7:14 AM
  • Thanks for the response. Basically the event id 529 was logged under NTAuthority\System user because of the username or the password are incorrect (as the error message indicates).

    On further troubleshooting, I realized that the NTLM protocol implementation used for authentication did not add the NTLM Response (or NTLM Hash) in the Type 3 message. I confirmed that the browser (IE) request adds this NTLM Hash. This NTLM implementation works elsewhere but fails only on one particular windows machine. 

    Could this be the root cause of the issue? (Not adding the NTLM Challenge Response in the Type 3 message). If so, what setting leads to an authentication failure if the NTLM Hash is not computed by the client?

    Thank you.


    Technet Forum Issue
    Tuesday, August 23, 2011 4:36 PM
  • I found the root cause of the issue. The root cause was that the server and domain had NoLMHashPolicy configured. This meant that windows would not store the LM hash value of the password. Since the NTLM protocol implementation we computed only the LM hash value and the NT Hash, the authentication failed. 

    The fix involves modifying the protocol implementation to compute the NT Response Hash before sending the Type3 message to the server.

    Thanks for the help.


    Technet Forum Issue
    • Marked as answer by Eileen Zhao Wednesday, September 7, 2011 3:01 AM
    Wednesday, August 31, 2011 2:02 PM
  • Hi Hi_i_am_Amit,

    I am glad that you have solved the issue by yourself and thank you for sharing your solutions and experience here. It will be very beneficial for other community members who have similar questions.

    Thanks,
    Eileen
    Wednesday, September 7, 2011 3:01 AM
  • Where did you make this fix?
    Sonya
    Tuesday, September 13, 2011 9:31 PM
  • The fix is to be made in the protocol implementation. I use the commons httpclient java library to make the web service authentication. So the fix is to be made by providing a new implementation of the NTLM protocol.
    Technet Forum Issue
    Thursday, September 15, 2011 4:25 PM