ReportViewer Connection to Remote Server
in [Reports]
|
Prev: NULL Parameter in Data Driven Subscription
Next: "Action Canceled" Message when running the Report
From: JPS on 17 Jul 2006 01:41 Hello, I have a ReportViewer placed in a webform in remote mode and am having a difficult time getting it to connect to a remote 2005 Report Server. I can connect to the report manager remotely; however, all my attempts at connnecting a reportviewer to that same Report Server has failed. I believe it has something to do with impersonation but everything I see is in c# and I use vb.net. A step by step tutorial using VB.NET would be great but I have been unable to locate any. Any suggestions? Thanks, John
From: Steven Cheng[MSFT] on 17 Jul 2006 05:28 Hello John, Thank you for posting in the MSDN newsgroup. From your description, I understand you're developing an ASP.NET application which use the webform reportViewer control to access and display some server-reports from the SSRS 2005 reportserver. However, you found that the reportviewer always failed to connect to the reportserver(server report), correct? If there is anything I missed, please feel free to let me know. As for this problem, based on my experience, it is likely cause by security permission setting issue. What's the error messge you got in the reportviewer control at runtime, is it a message indicate that the current security context doesn't have sufficient permission? First, I'd like to confrim some environment info about the problem server machine and the reportserver with you: 1. Is the SSRS reportserver installed with default setting?(using integrated windows security in IIS) Also, have you ever customized the role based security setting of the certain report you want to access in reportviewer? 2. What's OS and IIS version of your ASP.NET web application's host machine? Is it IIS 5 or IIS6. If you haven't manually configured to use impersonate for your ASP.NET application, the reportViewer page will run under your ASP.NET application's process identity and use this identity to access the remote reportserver. For IIS6, ASP.NET process identity is configured in the application pool identity and the default value is "NT AUTHORITY\NETWORK SERVICE". As for IIS5, is still use the machine.config's <processModel> section for setting ASP.NET process identity and the default value is machine\ASPNET. The following msdn article also described on configuring ASP.NET process identity: #Configuring ASP.NET Process Identity http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx And in your page you can use the following code snippet to printout the current security identity: ============= protected void Page_Load(object sender, EventArgs e) { Response.Write("<br/>Identity: " + System.Security.Principal.WindowsIdentity.GetCurrent().Name); } ============= 3. After you've detect and ensure the running security identity of your ASP.NET application(the one reportviewer will use to access the remote report server). You can consider the role based permission setting on the remote reportServer. First, you should check whether the security identity can be identified and recognized on the remote reportserver machine. for example, the "NT AUTHORITY\NETWORK SERVICE" account is recognized as the machine's account on remote machine in windows domain. After you've verified that the identity can be recognized as a valid account on the remote reportserver, you should grant that account the sufficient permission to access that report. Generally, since we only view the report, so the "browser" role is sufficient. You can grant certain user/group one or more roles through the ReportManager or SQL Server management studio. Here are some resources on SSRS 2005 role based security managment: #Using Role-Based Security http://msdn2.microsoft.com/en-us/library/ms156014.aspx #Role Assignments http://msdn2.microsoft.com/en-us/library/ms156406.aspx #Creating, Modifying, and Deleting Role Definitions http://msdn2.microsoft.com/en-us/library/ms156264.aspx And I've also attached a screenshot of the role management interface in the ReportManager web application(grant a certain user with certain role). If you have anything unclear on the above things or if there is any further questions, please feel free to let me know. Sincerely, Steven Cheng Microsoft MSDN Online Support Lead ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
From: JPS on 17 Jul 2006 12:00 Hello Steven, >What's the error messge you got in the > reportviewer control at runtime, is it a message indicate that the current > security context doesn't have sufficient permission? The request failed with HTTP status 401: Unauthorized. > 1. Is the SSRS reportserver installed with default setting?(using > integrated windows security in IIS) Also, have you ever customized the > role based security setting of the certain report you want to access in > reportviewer? The SSRS is using integrated windows security in IIS and I have not customized any role-based security in the report. > 2. What's OS and IIS version of your ASP.NET web application's host > machine? Is it IIS 5 or IIS6. If you haven't manually configured to use > impersonate for your ASP.NET application, the reportViewer page will run > under your ASP.NET application's process identity and use this identity to > access the remote reportserver. For IIS6, ASP.NET process identity is > configured in the application pool identity and the default value is "NT > AUTHORITY\NETWORK SERVICE". As for IIS5, is still use the machine.config's > <processModel> section for setting ASP.NET process identity and the default > value is machine\ASPNET. The following msdn article also described on > configuring ASP.NET process identity: > > #Configuring ASP.NET Process Identity > http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx > > And in your page you can use the following code snippet to printout the > current security identity: > > ============= > protected void Page_Load(object sender, EventArgs e) > { > Response.Write("<br/>Identity: " + > System.Security.Principal.WindowsIdentity.GetCurrent().Name); > } > ============= I am currently developing on a WinXP Pro OS and trying to connect to the SSRS 2005 on a Windows 2003 Standard OS. I will eventually need to move my application to a production web server that is running Windows 2003 Web Edition and connecting to a SSRS 2005 installation on a remote Windows Standard 2003 server. I tried changing the identity in the machine.config; however, no matter what I change it to I get a response.write computername\mywindowsloginname when I run in the integrated file based development environment. If I launch it from IIS5 I get computername\ASPNET. I can not go any further in your steps until I get this resolved. Thanks, John "Steven Cheng[MSFT]" wrote: > Hello John, > > Thank you for posting in the MSDN newsgroup. > > From your description, I understand you're developing an ASP.NET > application which use the webform reportViewer control to access and > display some server-reports from the SSRS 2005 reportserver. However, you > found that the reportviewer always failed to connect to the > reportserver(server report), correct? If there is anything I missed, please > feel free to let me know. > > As for this problem, based on my experience, it is likely cause by security > permission setting issue. What's the error messge you got in the > reportviewer control at runtime, is it a message indicate that the current > security context doesn't have sufficient permission? First, I'd like to > confrim some environment info about the problem server machine and the > reportserver with you: > > 1. Is the SSRS reportserver installed with default setting?(using > integrated windows security in IIS) Also, have you ever customized the > role based security setting of the certain report you want to access in > reportviewer? > > 2. What's OS and IIS version of your ASP.NET web application's host > machine? Is it IIS 5 or IIS6. If you haven't manually configured to use > impersonate for your ASP.NET application, the reportViewer page will run > under your ASP.NET application's process identity and use this identity to > access the remote reportserver. For IIS6, ASP.NET process identity is > configured in the application pool identity and the default value is "NT > AUTHORITY\NETWORK SERVICE". As for IIS5, is still use the machine.config's > <processModel> section for setting ASP.NET process identity and the default > value is machine\ASPNET. The following msdn article also described on > configuring ASP.NET process identity: > > #Configuring ASP.NET Process Identity > http://msdn2.microsoft.com/en-us/library/dwc1xthy.aspx > > And in your page you can use the following code snippet to printout the > current security identity: > > ============= > protected void Page_Load(object sender, EventArgs e) > { > Response.Write("<br/>Identity: " + > System.Security.Principal.WindowsIdentity.GetCurrent().Name); > } > ============= > > > 3. After you've detect and ensure the running security identity of your > ASP.NET application(the one reportviewer will use to access the remote > report server). You can consider the role based permission setting on the > remote reportServer. First, you should check whether the security identity > can be identified and recognized on the remote reportserver machine. for > example, the "NT AUTHORITY\NETWORK SERVICE" account is recognized as the > machine's account on remote machine in windows domain. After you've > verified that the identity can be recognized as a valid account on the > remote reportserver, you should grant that account the sufficient > permission to access that report. Generally, since we only view the report, > so the "browser" role is sufficient. You can grant certain user/group one > or more roles through the ReportManager or SQL Server management studio. > Here are some resources on SSRS 2005 role based security managment: > > #Using Role-Based Security > http://msdn2.microsoft.com/en-us/library/ms156014.aspx > > #Role Assignments > http://msdn2.microsoft.com/en-us/library/ms156406.aspx > > #Creating, Modifying, and Deleting Role Definitions > http://msdn2.microsoft.com/en-us/library/ms156264.aspx > > And I've also attached a screenshot of the role management interface in the > ReportManager web application(grant a certain user with certain role). > > If you have anything unclear on the above things or if there is any further > questions, please feel free to let me know. > > Sincerely, > > Steven Cheng > > Microsoft MSDN Online Support Lead > > > > =========================
From: Steven Cheng[MSFT] on 17 Jul 2006 22:35 Hello John, Thanks for your response. From your further description, I've got that your current development machine is a winxp box and the error you got is a "401 unauthorized" error. I think this is due to the security identity passed from your XP dev box is not recognizable in the reportserver machine(2003 test server). Here is my understanding and analysis on the following symptom you described: =============== I tried changing the identity in the machine.config; however, no matter what I change it to I get a response.write computername\mywindowsloginname when I run in the integrated file based development environment. If I launch it from IIS5 I get computername\ASPNET. =============== At first, when you change different identities in the machine.config, since you're developing through the VS 2005 built-in tes webserver/File system based project), the ASP.NET application is always running in the test server and will run under your current logon user accountand.(That's why you always see the "computername\mylogonuser") Thus, the reportViewer will use this identity to access remote server report, surely this local account is not valid on the remote reportserver machine(different machine) and the IIS windows authentication will fail with 401. Again, when you host the ASP.NET application in IIS, it will use the ASP.NET worker process identity which is configured in the <processModel> element in machine.config, and by default it is "machine\ASPNET". And this account is also a machine specfic local account, therefore it is also invalid when the reportviewer use the it to access the remote reportserver. To resolve this, you can consider the following possible means: 1. When deveoping use Test web server, logon with a domain account (have sufficient permission on the devbox) which is also recognizable on the remote reportserver machine. This require that both machines are in the same local domain. 2. Still developing use the test webserver, and still logon with a local account. However, you need to create a duplicated local account on the remote reportserver machine(with the same username and password). This can make your local account on XP dev machine also recognizable(be authenticated) on the remote reportserver machine. This is a workable solution for all windows system use NTLM authentication. 3. If you will use IIS host ASP.NET application, then just change the account in the <processModel> element in machine.config. And which account to use also reference to the #1 and #2 BTW, when you finally move the ASP.NET application to a windows 2003 server, since IIS6 use application pool to configure worker process identity and it use "NetworkService" account by default(this account is recognized as the server's machine account on other remote machines in the same domain), it'll be eaiser for you to configure the security setting if your machines are in a domain environment. Please feel free to let me know if there is anything unclear or if you still have any other concerns on this. Regards, Steven Cheng Microsoft MSDN Online Support Lead ================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
From: JPS on 18 Jul 2006 13:25 Hello Steven, I added a user account to the remote server with my local machine's username and password. I gave that user Administrative priveledges. Also, my local and my remote computers are on two seperate domains. I am no longer getting the error: The request failed with HTTP status 401: Unauthorized. I am now getting the following error: The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version. The request failed with HTTP status 404: Not Found. If I change the password on the remote server to be different than my local password, I once again get the 401 unauthorized error. It therefore seems to me that I am little farther. What would you suggest? Thanks, John "Steven Cheng[MSFT]" wrote: > Hello John, > > Thanks for your response. > > From your further description, I've got that your current development > machine is a winxp box and the error you got is a "401 unauthorized" error. > I think this is due to the security identity passed from your XP dev box is > not recognizable in the reportserver machine(2003 test server). Here is my > understanding and analysis on the following symptom you described: > > =============== > I tried changing the identity in the machine.config; however, no matter > what > I change it to I get a response.write computername\mywindowsloginname when > I > run in the integrated file based development environment. If I launch it > from > IIS5 I get computername\ASPNET. > =============== > > At first, when you change different identities in the machine.config, since > you're developing through the VS 2005 built-in tes webserver/File system > based project), the ASP.NET application is always running in the test > server and will run under your current logon user accountand.(That's why > you always see the "computername\mylogonuser") Thus, the reportViewer will > use this identity to access remote server report, surely this local account > is not valid on the remote reportserver machine(different machine) and the > IIS windows authentication will fail with 401. > > Again, when you host the ASP.NET application in IIS, it will use the > ASP.NET worker process identity which is configured in the <processModel> > element in machine.config, and by default it is "machine\ASPNET". And this > account is also a machine specfic local account, therefore it is also > invalid when the reportviewer use the it to access the remote reportserver. > > > > To resolve this, you can consider the following possible means: > > 1. When deveoping use Test web server, logon with a domain account (have > sufficient permission on the devbox) which is also recognizable on the > remote reportserver machine. This require that both machines are in the > same local domain. > > 2. Still developing use the test webserver, and still logon with a local > account. However, you need to create a duplicated local account on the > remote reportserver machine(with the same username and password). This can > make your local account on XP dev machine also recognizable(be > authenticated) on the remote reportserver machine. This is a workable > solution for all windows system use NTLM authentication. > > 3. If you will use IIS host ASP.NET application, then just change the > account in the <processModel> element in machine.config. And which account > to use also reference to the #1 and #2 > > BTW, when you finally move the ASP.NET application to a windows 2003 > server, since IIS6 use application pool to configure worker process > identity and it use "NetworkService" account by default(this account is > recognized as the server's machine account on other remote machines in the > same domain), it'll be eaiser for you to configure the security setting if > your machines are in a domain environment. > > Please feel free to let me know if there is anything unclear or if you > still have any other concerns on this. > > Regards, > > Steven Cheng > Microsoft MSDN Online Support Lead > > > ================================================== > > When responding to posts, please "Reply to Group" via your newsreader so > that others may > > learn and benefit from your issue. > > ================================================== > > > This posting is provided "AS IS" with no warranties, and confers no rights. > > > > > > > > >
|
Next
|
Last
Pages: 1 2 3 4 Prev: NULL Parameter in Data Driven Subscription Next: "Action Canceled" Message when running the Report |