Reporting Services accepts requests or NTLM authentication. the deployment includes client applications and browsers. that use security providers, default values without extra configuration. The use of different security provider for Windows integrated security. the default values restore original settings use authentication settings on the report server.
Windows integrated security user requires access to a report server. It must have valid Windows local or domain user account or be a member of a Windows local or domain group account. the accounts from other domains as long as those domains trusted. The accounts access to the report server computer.
Windows Authentication Report Server
The following more requirements
-
The ReportServer.config files RSWindowsNegotiate, RSWindowsKerberos, or RSWindowsNTLM. By default, the RSReportServer.config file includes the RSWindowsNegotiate Setting Report Server service. The account is either NetworkService or LocalSystem. otherwise, the RSWindowsNTLM setting used. The add RSWindowsKerberos applications use Kerberos authentication.
-
ASP.NET configured for Windows Authentication. the Web.config files Report Server Web service setting. The change fail.
-
The Web.config files Report Server Web service have.
-
The client application or browser must support Windows integrated security.
-
The web portal does not need extra configuration.
the report server edits the XML elements and ReportServer.config file. The copy and paste the examples in this topic to put in place specific combinations.
Extended Protection for Authentication
SQL Server support Protection for Authentication. It supports binding and protection of authentication. The features operating system supports Extended Protection. Reporting Services configuration for protection determined by settings in the RSReportServer.config file.
To configure a report server to use Windows integrated security
-
Open RSReportServer.config in a text editor.
-
Find <Authentication>.
-
Copy XML structures that best fit needs.
-
Paste the existing entries for <Authentication>. that cannot use Custom with the RS Windows types.
-
Change the settings for extended protection. Extended protection disabled by default. If these entries are not present. the current computer runs Reporting Services extended protection.
-
Save the file.
-
configured report servers in the deployment.
-
Restart the report server to clear sessions are currently open.
-
The Report Server service runs as a Windows domain user account. the did not register a Service Principal Name for the account.
-
The report server configured with the RSWindowsNegotiate setting.
-
The browser chooses Kerberos over NTLM in the authentication header request. it sends to the report server. The detect error enabled Kerberos logging. the error prompted for the empty time browser window.
-
Register an SPN for the Report Server service under the domain user account.
-
Change the service account to run under a built-in account such as Network Service. Built-in accounts map HTTP SPN to the Host SPN defined join a computer to the network.
-
Use NTLM generally work in cases Kerberos authentication fails.
Logging information
The several sources of logging information resolve Kerberos related issues.
User-Account-Control Attribute
The Reporting Services service account has the enough attribute set in Active Directory. Review the reporting services service trace log file to UserAccountControl attribute. The value logged is in decimal form. the convert the decimal value to hexadecimal form. the find MSDN topic describing User Account Control Attribute.
-
converting the value Decimal value to hexadecimal form Microsoft Windows Calculator. It supports several modes show the 'Dec' option and 'Hex' options. Select the 'Dec' option paste or type in the decimal value found in the log file and then select the 'Hex' option.
-
the User Account Control Attribute to the service account.
SPNs Configured in Active Directory for the Reporting Services service account.
the SPNs in the Reporting Services service trace log file. The can enable the Reporting Services Extended Protection feature.
The Browser Chooses Negotiated Kerberos or Negotiated NTLM
The Internet Explorer connect to the report server, it specifies either Negotiated Kerberos. NTLM on the authentication header. NTLM used instead of Kerberos when:
-
The request sent to a local report server.
-
The request sent to an IP address of the report server computer rather than a host header or server name.
-
Firewall block ports use Kerberos authentication.
-
The operating system particular server does not Kerberos enabled.
-
The domain older versions client and server operating systems. that do not support the Kerberos authentication versions of the operating system.
Report Server URL
If the URL includes the qualified domain name, Internet Explorer selects NTLM. If the URL specifies localhost, Internet Explorer selects NTLM.
LAN and Proxy Settings on the Client
LAN and proxy settings in Internet Explorer determine whether NTLM chose over Kerberos.