Monday, December 19, 2011

Setting up Anonymous Access for Reporting Services in SQL Server 2008 R2.

DISCLAIMER: ANONYMOUS ACCESS IS NOT RECOMMENDED as it may give direct access to your report server or report objects to any one who knows the URL of your reporting services. Additional security measurements are required while handling with anonymous access.
Microsoft has made some fundamental modifications with SQL Server 2008 Reporting Services security architecture. Reporting Services and Web Component now do not need IIS or Web Server as Reporting Services now run on it's own http.sys and serves the reports request from within http.sys.
The biggest challenge I faced while configuring Reporting Services was Anonymous Access as Anonymous Access is no more an option available to be configured easily. To enable Anonymous Access you need to configure config files and also compile dll to provide extension to Reporting Services to allow Anonymous access.
Here are the steps which can be performed to enable Anonymous Access in Reporting Services.

  • Change the authentication mode in rsreportserver.config to Custom
<Authentication>
<AuthenticationTypes>
<Custom/>
</AuthenticationTypes>
<EnableAuthPersistence>true</EnableAuthPersistence>
</Authentication>
  • Change the Authentication mode in web.config file in ReportServer to None. Also change the Impersonation to false.
<authentication mode="None" />
<identity impersonate="false"/>
  • Compile the code from this location to bin folder as Microsoft.Samples.ReportingServices.AnonymousSecurity.dll Or copy it from this location and paste it to bin folder in ReportServer.
  • Add Extensions in rsreportserver.config
    • Add the additional extension in Security Tag
<Security>
<Extension Name="None" Type="Microsoft.Samples.ReportingServices.AnonymousSecurity.Authorization, Microsoft.Samples.ReportingServices.AnonymousSecurity" />
</Security>
    • Add the additional extension in Authentication Tag
<Authentication>
<Extension Name="None" Type="Microsoft.Samples.ReportingServices.AnonymousSecurity.AuthenticationExtension, Microsoft.Samples.ReportingServices.AnonymousSecurity" />
</Authentication>
  • Add the following codegroup to configure the code access security in rssrvpolicy.config
<CodeGroup
class="UnionCodeGroup"
version="1"
PermissionSetName="FullTrust"
Name="Private_assembly"
Description="This code group grants custom code full trust. ">
<IMembershipCondition
class="UrlMembershipCondition"
version="1"
Url="C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\Microsoft.Samples.ReportingServices.AnonymousSecurity.dll"
/>
</CodeGroup>
Restart the reporting services, Anonymous Access should work.

76 comments:

  1. The jist of it is, I followed your instructions (and double checked my changes) and now I just get "Internet Explorer cannot display web page" when trying to run a report through our application or just browsing to http://localhost/reports. The only thing I wasn't really clear on is where specifically to put the section you have listed and also whether to delete any existing items from the config files, I assumed I did not need to remove anything as your instructions just said to add.

    Any thoughts?

    Thanks.

    ReplyDelete
  2. Disregard previous post. It was a dumb mistake on my part and now everything seems to be working great. Thanks for this blog, helped me out alot!!

    ReplyDelete
    Replies
    1. What was the mistake you made? I made the same changes and I'm getting the same 503 error message.

      Delete
    2. I am also getting the same 503 error. I started over and made sure everything was good and the right case. How was resolved.

      Delete
    3. Hi,
      I followed the same procedure, double checked all my changes. When i hit http://localhost/reports,
      I am getting "Page can't be displayed" error. Can anyone explain in detail how we can set it up correctly.Please reply ASAP.

      Delete
    4. Vishy, the most common issues can be: Case Sensitiveness, and dll location. Make sure that you refer to the dll location from your system after it downloading it.

      Delete
    5. Vishy, you may also refer to Report Server Logs to find the root cause.

      Delete
  3. I was quite busy and could not respond on time, but it is glad to read that the issue has been fixed.
    Thanks - Swarndeep

    ReplyDelete
  4. I cannot find the web.config file on the server nor the directory C:\inetpub\wwwroot. We have Reporting Services 2008 R2.

    Does it mean, IIS need to be installed on the same server as Reporting Service 2008 R2 for the bove to work?

    ReplyDelete
    Replies
    1. You don't need IIS for reporting services on 2008 R2, Reporting Services has it's own http.sys.

      With default installation, you can see the web.config in the following locations:

      X:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer
      X:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportManager

      X: is your installation drive.

      Hope this will help.

      Regards
      Swarndeep

      Delete
    2. Yes. This had worked.

      Thank you very much for sharing your knowledge.

      Delete
  5. I have been trying for SSRS 2008R2 reports access from my one of the server which are delpoyed on it (O.S windows 2008 R2 server) to my web
    application which is hosted on another server ..
    I tried by using reportviewer and by passing the server credentails.
    I am getting an error :
    Unable to connect to the remote server
    A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond IPAddess:80

    plzz help me..

    ReplyDelete
  6. It looks like you have setup your report server, but unable to open the reports from remote machine.

    There are few things to check:

    1. Try that you can run report locally on the report server.

    2. If not, then make sure that your have setup your report server and report manager from report configuration manager correctly. And these are available on port 80 (regular) or port 443 (SSL). Also check other configurations like database connectivity etc.

    3. Make sure that the remote machine is able to reach the report server. You may try ping or try telnet to the IP:Port to make sure the port is openened or not blocked by firewall.

    ReplyDelete
    Replies
    1. yes I can run and view my reports locally but I am unable to access report server from my client machine even though it is allowing for remote access using mstsc(I opened the ports 80 and 1433).

      Delete
  7. Since you are able to access reports locally, I assume that something is blocking the reports being accessed over the network. Did you disable all firewalls and internet protection tools ?

    ReplyDelete
  8. Great post, thanks for the help.

    Do you know if MS has made it easier is SSRS 2010?

    ReplyDelete
  9. Hi Swarndeep

    The problem I have with this configuration is, that everyone can edit and delete reports via the web interface.

    I just need all users to be able to see the finished reports and PDFs, do you have any idea to accomplish this?

    Hope you see and understand my post ;-)

    ReplyDelete
    Replies
    1. Hi,

      In my knowledge, there are two options you can accomplish this, 1. Disable the anonymous access for Report Manager or 2. Change the IP address of report manager URL to listen to 127.0.0.1.

      I am explaining the option 2:

      Open Reporting Services Configuration Manager, Connect to server, Go to "Report Manager URL" option and then change the IP to local host only (127.0.0.1) and delete all other IPs from list. This way users who login to report server machine can only modify or add reports, external users cannot even connect to report manager. This won't impact the report service URL.

      If you have scale out deployment or multiple servers part of same report server deployment then you have to follow this process to all report servers, so that access is denied from all servers.

      Hope this helps!

      Delete
    2. Hi Swarndeep

      Thanks for yout reply!

      Sadly option 2 is no option for me because i need certain users to be able to modify and create new reports.

      P.S. Can you explain the difference between the ReportServer and the Reports URL?

      Like I said I only need users to be able to view reports as PDFs.

      Delete
    3. The best solution for me would be:

      - Everybody can view the reports as PDF.
      - Users have to login if the need to modify or create new reports.

      Best Regards

      Delete
  10. Hi,
    I have tried your steps that you were posted, then now my http://localhost/reports shown error "the attemt to connect to the report server failed. Check your connection information and that the report server is a compatible"

    Please help...thank

    ReplyDelete
  11. Hi Swarndeep,

    Can you tell me what modifications I need to make to get this to work with SQL Server Express 2008 R2. Following the steps above and changing the path to the dll in the rssrvpolicy.config gave me a 503 service unavailable error.

    ReplyDelete
  12. Hi Arun,

    I was busy and could not reply. If you have followed the steps carefully, it should work. The parameter values ex: authentication mode etc., needs to be case sensitive. I have faced this problems many times and face similar issues.

    Hope this helps!
    -Swarndeep

    ReplyDelete
    Replies
    1. Hi

      I also have a 503 service error, I have double checked everything and it seems as I have followed your instructions.

      Is it possible to see a copy of a working reportserver, policy and webconfig file?

      THanks.
      BR Rasmus

      Delete
    2. Hi

      As far as you have followed the steps carefully, there should not be any problem. The keywords used in configuration files are case sensitive, just double check it.

      I would say restore original files and then start again.

      Unfortunately, I cannot post the files on public site due to IP Addresses, Domain namesm, etc used in those files.


      Hopefully will be able to fix the issue.

      Thanks

      Delete
    3. Thanks for your answer.
      I think I am almost through now - I can open Report Manager and see all reports after the amendments and restart of SSRS. But I get an internal error message when I try to open the reports - do you have any ideas?

      BR Rasmus

      Delete
    4. I could take a look if you post the error details here!

      -Swarndeep

      Delete
  13. Hi Swarndeep,
    I have tried the steps you mentioned and its working.
    Is there any other way by which we can give permission to particular domain user apart from anonymous access, by that the particular domain user can only access the SSRS Report Server ("MAINLY SYSTEM SHOULD NOT PROMPT FOR LOG IN AUTHENTICATION").

    ReplyDelete
    Replies
    1. You may setup the report level security in that case. Or the other option is to use the custom authentication method.

      Delete
    2. Hi thanks for the reply, my exact requirement is to launch the report builder from my website, when I am trying to launch SSRS 2008 report builder system prompts for authentication and this get fixed by setting anonymous access to the report server as per your example.
      But as security concern is by any another way can we launch the SSRS 2008 Report Builder without anonymous access and not prompting authentication pls.

      Delete
  14. Hi Swarndeep, I was looking at implementing this but I am nervous about the security issue. I am showing my reports in a pop up control so my ssrs server should be hidden. Beyond me applying an SSL to the server what other steps could/should I do to protect me server?

    ReplyDelete
  15. Security is definitely an issue with Anonymous. Consider Anonymous like a website that you can open without web site asking your it's domain credentials.

    However, you can implement Custom Authentication method. I have not yet written any code for custom authentication method.

    What I personally prefer do at my end that when user logs on to application, it creates a GUID and keeps it in a table. When same user goes into the report server, on of the parameters in report is the GUID, passed by application. This way it will be secured, on the user who has a valid GUID can see the report result.

    Disclaimer: My comments should only be considered with "NO GUARANTEE" and not affiliated anyways with Microsoft or any other company/organization.

    ReplyDelete
  16. Hi Swarndeep, I followed your steps and updated all the config files but unable to restart SSRS. In the event log its logged as "Service cannot be started. Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The report server has encountered a configuration error. ---> System.Exception: The configuration file contains an element that is not valid. The Extension element is not a configuration file element". What could be the reason? I have tried with compiling the code and well as using the dll provided your link.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
    2. I have seen these issues mostly because of XML elements written in different case. The parameters and Elements in configuration files (from example) are case sensitive and if these elements do not match the case it errors out.

      I would suggest that you double check all of the elements and then restart the SSRS service.

      Hopefully this helps!

      Delete
    3. Thanks for the quick reply. I again followed your instructions, but instead of adding the extensions replaced the existing with what you have provided and could successfully restart SSRS.

      Delete
  17. tried it on 2012 . it work . thanks.

    ReplyDelete
  18. Great Thanks for posting your comment, it will help Other SQL Users too.

    ReplyDelete
  19. I am receiving this message when trying to access SSRS:

    The report server is not responding. Verify that the report server is running and can be accessed from this computer.


    and this one in event viewer:

    Message: Could not load file or assembly 'App_global.asax.crh-_xz8, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Failed to grant permission to execute. (Exception from HRESULT: 0x80131418)

    Do you know what could be wrong? (of course the service is running!)

    ReplyDelete
  20. @magalhaesv:

    I had this error message too.

    In my case, I had downloaded the dll from a different site.
    Only after downloading it from the link above I was able to access the Reporting Services.

    Now it is working for me

    ReplyDelete
  21. Thanks you are fantastic.
    On the report manager it says:
    An internal error occurred on the report server. See the error log for more details. (rsInternalError)
    For more information about this error navigate to the report server on the local server machine, or enable remote errors

    ReplyDelete
  22. and when I open the LogFile the last paragraph says:

    --- End of inner exception stack trace ---;
    library!ReportServer_0-2!1c68!11/30/2012-21:47:16:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.InternalCatalogException: Internal error, Microsoft.ReportingServices.Diagnostics.Utilities.InternalCatalogException: An internal error occurred on the report server. See the error log for more details. ---> System.IO.FileLoadException: Could not load file or assembly 'Microsoft.ReportingServices.ProcessingObjectModel, Version=11.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91' or one of its dependencies. Access is denied.
    File name: 'Microsoft.ReportingServices.ProcessingObjectModel, Version=11.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91'
    at Microsoft.ReportingServices.OnDemandProcessing.OnDemandProcessingContext..ctor(ProcessingContext originalProcessingContext, Report report, ErrorContext errorContext, DateTime executionTime, Boolean snapshotProcessing, IConfiguration configuration)
    at Microsoft.ReportingServices.ReportProcessing.ReportProcessing.ProcessReportParameters(DateTime executionTimeStamp, ProcessingContext pc, Boolean isSnapshot, Boolean& needsUpgrade)
    at Microsoft.ReportingServices.Library.RSService.ProcessReportParameters(ReportProcessing repProc, CatalogItemContext reportContext, IChunkFactory getChunkFactory, CreateDataExtensionInstance howToCreateDataExtensionInstance, RuntimeDataSourceInfoCollection allDataSources, RuntimeDataSetInfoCollection allDataSets, ParameterInfoCollection newParameters, DateTime executionTime, Boolean isSnapshot)
    at Microsoft.ReportingServices.Library.RSService.InternalGetReportParametersForRendering(CatalogItemContext reportContext, Guid reportID, Guid linkID, DateTime snapshotExecutionDate, IStoredParameterSource storedParamSource, NameValueCollection values, RuntimeDataSourceInfoCollection allDataSources, RuntimeDataSetInfoCollection allDataSets)
    at Microsoft.ReportingServices.Library.ProcessReportParametersCancelableStep.Execute()
    at Microsoft.ReportingServices.Diagnostics.CancelablePhaseBase.ExecuteWrapper()

    ReplyDelete
    Replies
    1. I would suggest two things,
      1. Try giving full rights on .Net Framework binaries (typically in C:\Windows\Microsoft.Net\Framework).

      2. Make sure that the bin folder of report server has full rights, specially where dll files are located.

      Delete
  23. Thank you for a great effort but I give up - after trying what you suggested I had to change the execution user from reportserver@dwh to Network Service in order to grant permissions on framework and hereafter I get this error:

    The report server cannot decrypt the symmetric key that is used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content. (rsReportServerDisabled)

    ReplyDelete
    Replies
    1. Rasmus,

      Sorry to hear that. Mostly this is very straight forward process, but sometimes, it need few tweaks and tunes.

      You see the decryption error possibly due to the use of different service account which was used earlier. Rather than changing the service account, you may change the permission of folders/files, if you want to give it one more try.

      Best of Luck.

      - Swarndeep

      Delete
  24. Thanks - yes I chaged the service account as I couldn't find the default in SSRS when I wanted to give it full access on the folders. Is there another way of changing the security on the folder than giving full access to user x?

    ReplyDelete
  25. Great article, really helpful and good information.

    ReplyDelete
  26. i have followed all the steps that are defined here, once the restarted i am not getting un available page, can't access the reportserver URL. do this require the reportservice should under network/domain service accoutnt.basically i have created the local account on the server to run the service. is there any way or any trace log file to check the exact error message..

    ReplyDelete
  27. i managed to setup anonymous access. However everything on the report server is available to public. I want only reports be available to public (not datasources )

    ReplyDelete
  28. Works in SQL SERVER 2008 r2 express

    thank you
    Works with sql server express, not only must insert (not change the file) "Add The Following codegroup to configure the code access security in rssrvpolicy.config"
    I also do not enter ""
    And in the first part I inserted the following:



    Off
    Proxy
    True


    thank you

    ReplyDelete
    Replies
    1. Works in SQL SERVER 2008 r2 express

      Works with sql server express, not only must insert (not change the file) "Add The Following codegroup to configure the code access security in rssrvpolicy.config"
      I also do not enter "identity impersonate =" false "
      Note that the first part ("Change the authentication mode in rsreportserver.config to Custom") must enter the custom tag and replace only the false for true
      thank you

      Delete
  29. hi,

    i got this message

    "The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version.


    can you send me your mail id - i will send you my config files

    ReplyDelete
  30. please send me config file on this id- manishcal16@yahoo.com
    Regards,
    Manish

    ReplyDelete
  31. Regarding the error: "The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version."

    I solved this by making sure that the addtional CodeGroup section was not the first (i.e. I added it after the rest of the other CodeGroup elements).

    Also in SQL Server 2008 R2 don't remove the following lines under Authentication:

    Off
    Proxy

    ReplyDelete
    Replies
    1. Oops some of the text was cut off. The lines under Authentication (I referred to) were the RSWindowsExtendedProtectionLevel and RSWindowsExtendedProtectionScenario elements.

      Delete
    2. I could kiss u right now have spend 3 days working at this problem finally worked
      JL

      Delete
  32. Hi I believe I've followed the above steps but I get this error message,

    extensionfactory!ReportServer_0-1!330!02/08/2013-15:43:43:: e ERROR: Exception caught instantiating None report server extension: System.IO.FileLoadException: Could not load file or assembly 'Microsoft.Samples.ReportingServices.AnonymousSecurity, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The parameter is incorrect. (Exception from HRESULT: 0x80070057 (E_INVALIDARG))
    File name: 'Microsoft.Samples.ReportingServices.AnonymousSecurity, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' ---> System.ArgumentException: Invalid directory on URL.
    at System.Security.Policy.PolicyLevel.GenericResolve(Evidence evidence, Boolean& allConst

    Its having trouble accessing the .dll but has the correct location for the dll "rssrvpolicy.config"

    Any other ideas?

    ReplyDelete
    Replies
    1. There may be many reasons for this.

      * Make sure that you have correct path.
      * The configuration is case sensitive, make sure that that you copy the path to file in the orifinal case sensitiveness.
      * Any wrong keyword
      * If the problem persists, The best way is to startover and probably the error disapears when you startover, as you may have missed some of the configurations.

      Hope this helps!
      - Swarndeep

      Delete
  33. Hey Swarndeep,

    Thank you for these instructions. I think I'm 80% towards geting this working, but I keep getting errors when browsing directly to the //locahost/reportserver page and I think my problem is in the rssrvpolicy part. Depending what I edit in this file, I either get an HTTP 500 error, or I get the following from the reportserver page:

    An internal error occurred on the report server. See the error log for more details. (rsInternalError) Get Online Help
    Unable to cast object of type 'Microsoft.Samples.ReportingServices.AnonymousSecurity.Authorization' to type 'Microsoft.ReportingServices.Interfaces.IAuthenticationExtension'.


    Can you pleae clarify, do I add the code group at the end of the other code group listings? Or do I edit the exisiting class=UrlMembershipcondition listing?

    Here's my oroginal rssrvpolicy code group listing, if you could point in the right direction that would be most apprecaited!


























    Stuart

    ReplyDelete
  34. Swarndeep, I am new to an environment that was set up this way. The issue I am having is with applying Security.

    Prior to setup I see users listed under Site Settings -> Security and can add new role assignments.

    After making the changes you list I see no users under the Site Settings -> Security tab and get the following error when adding a new role assignment:

    An error occurred within the report server database. This may be due to a connection failure, timeout or low disk condition within the database. (rsReportServerDatabaseError) Get Online Help Procedure or function 'SetSystemPolicy' expects parameter '@PrimarySecDesc', which was not supplied.

    Do you have any ideas?

    ReplyDelete
  35. If something is missing in configuration, then reports do crash. I would suggest restoring the original copy for all configuration files and start again. It is otherwise difficult to find out what was missed out.

    Also, Important to know that the configuration settings are "Case Sensitive".

    ReplyDelete
  36. Thank you so much... you saved my day!

    ReplyDelete
  37. For all the people that encountered the 503 error when restarting the SSRS server, you need to replace whole the authentication section in rsreportserver.config to the following:


    Authentication>
    AuthenticationTypes>
    Custom />
    /AuthenticationTypes>
    RSWindowsExtendedProtectionLevel>Off/RSWindowsExtendedProtectionLevel>
    RSWindowsExtendedProtectionScenario>Proxy/RSWindowsExtendedProtectionScenario>
    EnableAuthPersistence>true/EnableAuthPersistence>
    /Authentication>

    besides that point the article is very helpful - Thanks.
    Edge Team

    ReplyDelete
    Replies
    1. You are gr8! Thanks!

      Delete
    2. Thanks Anonymous. It works on 2012! The two lines of codes below is missing in Swarndeep blog. I guess the codes he provided is expected to be embedded in the Authentication elements instead of totally removing the existing Authentication element and replace it with the codes he provided. Off.
      Proxy. For those who are experiencing http 503 error - just copy the codes provided by Anonymous above. If your server is not starting after implementing all instructions provided by Swarndeep, you need to review the exact locations where you did put the codes - like the or the exact path of the .dll file. In SQL 2012 the path is MSRS11.MSSQLSERVER instead of MSRS10.MSSQLSERVER for SQL 2008. Take note of the difference MSRS11 (2012) and MSRS10 (2008). Thank you so much everyone and most especially to Swarndeep.

      Delete
  38. Hello Swarndeep,

    Requirment: when user logging in to my website(developed in asp.net), it should redirect to "http://domain/Reportserver/report/Folder.aspx" which is report server manager's URL. And user should not in the domain. but he should see respective folders

    How it is possible? What i need to do? please do me favour for this to fix this problem.

    Thanks in Advance

    --
    Regards
    Ashwin

    ReplyDelete
  39. Hi Swarnadeep,I have done Every thing in SQL SERVER 2008 R2,but got error like below
    "The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version in SSRS".
    please help me its urgent
    Regards,
    Samba

    ReplyDelete
  40. Hi Swarndeep,
    Great post, Followed everything that you have written but getting following error,

    An error has occurred during report processing. (rsProcessingAborted)
    Cannot impersonate user for data source 'Test2Source'. (rsErrorImpersonatingUser)
    This data source is configured to use Windows integrated security. Windows integrated security is either disabled for this report server or your report server is using Trusted Account mode. (rsWindowsIntegratedSecurityDisabled)

    Can you please look into this and assist me to get it working.

    ReplyDelete
    Replies
    1. Any update on this please...Anybody...I am trying to get this resolved at earliest.

      Delete
  41. Hi,
    Getting Error Like below."The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version in SSRS " worked as 2008 R2.
    Tell me why its coming?

    ReplyDelete
  42. Hi, Instead of saying "dummy user" can i have a different name?

    ReplyDelete
  43. I get this error after making the modifications:

    The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version.


    I am on SQL 2012

    ReplyDelete
  44. Hi Swarndeep,

    Thanks a lot. It worked. I spent many hours earlier to make it work. Microsoft lacks proper documentation in this area.

    Regards,
    Mohammed

    ReplyDelete
  45. Hi Swarndeep

    Does this works for SSRS 2016 as well ???

    Regards
    Kailash

    ReplyDelete

Using Azure Storage for SQL Backups

you may have taken backups on local storage, file servers, NAS, etc. Now a days it is becoming crucial you have backup copies available in...

Contact Me

Name

Email *

Message *