Kerberos SPN Generation Setup Tool – SSRS 2005


 

The last post “Kerberos SPN Generation Setup Tool – Common Tab” reviewed the first input section tab for required domain information.  This is a continuation of the series of blog posts “Kerberos SPN Generation Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Microsoft BI tools.  This post covers how to enter information in for SQL Server Reporting Services 2005 (SSRS 2005) – the “SSRS2005 tab”.  You can download the Kerberos SPN Generation Setup Tool Beta at .

Draw a Picture

The first step is to always have a picture of the data flow.  How does the user get to the data from the browser?  The best security overview that I could find is: Planning for Services, Accounts, and Connections.  While this overview is for SSRS 2008, it is similar to SSRS 2005.  In SSRS 2005, IIS plays a role as well.

SSRS2005Example

SPN Generation Tool – Required and Optional Information

If you want to set up a SSRS 2005 instance with Kerberos, then use this tab.  For all input sections, required fields are denoted by the darker colored input field shading.  Remember that the Common tab input information is also required.

ssrs2005entry

Application Server – Where the SSRS Instance is Installed.

Enter the information for the machine where SSRS 2005 is installed.  It is assumed that the database and SSRS 2005 instance are installed on different machines otherwise you wouldn’t need to do this delegation.

Some installations may have more than one SSRS instance installed.  Make sure to determine if it is the default instance (MSSQLSERVER) or a named instance.  You only need to specify the port number in cases where the port number is not the default port and you chose not to use a host header.  In other words, you would specify a port if you enter a url into a browser to get to an instance and the url would contain both the machine name and port number.

SQL_SSRS

DNS Information – Host (A) Name Record / IIS – Host Header

In this example, we will use a host header A-Record.  For our example, “ReportMachine” will be the machine name where we have SSRS 2005 instances running.  For the instance that we are interested in, we will create an A-Record called reporting2005.  The A-Record will correspond to the RS2005 SSRS Instance.

A host header is used to essentially specify the port number for the reporting services instance on the machine.  IIS redirects traffic with the Host (A) record name in the calling url to the appropriate port in the reporting services machine (and basically the appropriate reporting services instance).  Make sure to set up IIS to use Host Headers.  You do not need to specify the port number in the tool when you use a host header.

SSRS2005DNS

Reporting Server Information – Service Accounts

You can find the service account information by running the SSRS 2005 Reporting Services Configuration Manager.

Web Service Identity

SSRS2005WebSI

Windows Service Identity

SSRS2005WSI

Database Instance

Fill in the machine information where the relational data resides for the SSRS reporting services instance.  In our example, this will be the “sqldb” machine.  This machine will have multiple SQL Database instances running on it.  In fact, it could be a SQL Cluster.  Just use the Cluster Resource Group Name and the appropriate port number.  In our case port 20000 will correspond to the Named Database Instance “Instance2”.

The database service account can be found in the SQL Server Configuration Manager on the database machine.  Since we are accessing SQL Server relational data, we want to select the service account that corresponds to this.

SQLDB

Named Database Instance Note:

While the tool supports named instances, I have observed issues with named instances and the cluster manager.  Also, named instances are still relatively new as far as Kerberos is concerned.  You may observe issues with older applications and ODBC or OLE connection strings / drivers.  Active Directory 2003 may need a hotfix to enable named instances as well.

SSRS2005 Tab Completed

The screen shot below shows the SSRS2005 tab filled out for this example.

SSRS2005

Note: While there are multiple service types, the default values (shown in column C) are typically used.  If the report went after cube data (SSAS), then the service type would be different.  See the Service Type drop down for details.

Messages

Upon completing the steps above, you should have a “Green” traffic light and the error message shown above.  If the light is yellow, you haven’t completed all of the required information.  If you have the green light, you should be able to enter more information on other tabs (if needed) or generate SPNs back on the Main tab.  Delegation will be covered in a future post.  For now, the Delegation tab will show the default delegation that is suggested.

Other SSRS 2005 Tips and Tricks

While it is assumed that you have some background in setting up Kerberos, I have listed a few tips to check out for SSRS 2005 with IIS 7 in Windows Server 2008.

IIS

http://support.microsoft.com/kb/953130 – (Do this for each SSRS 2005 instance – each “Reports” and “ReportServer” site)

Additionally, if you run Internet Information Services 7.0 set the useAppPoolCredentials attribute value to true in the ApplicationHost.config file. This file is located in the following folder:  C:\Windows\System32\Inetsrv\Config

After you make the change in the ApplicationHost.config file, the useAppPoolCredentials attribute value should resemble the following:

<snip>

<system.webServer>
<security>
     <authentication>
             <windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true” />
     </authentication>
</security>
</system.webServer>

</snip>

Config Files

If you used a host header (in our example it is “reporting2005” for the configuration items below)

RSReportServer.config

C:\Program Files\Microsoft SQL Server\MSSQL.1\Reporting Services\ReportServer\rsreportserver.config

<!– <Replace this line with the line below

<UrlRoot>http://ReportMachine/reportserver—&gt;

<UrlRoot>http://reporting2005/reportserver</UrlRoot>

If you get the error message: The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version.

RSWebApplication.config – (http://social.msdn.microsoft.com/Forums/en-US/sqlreportingservices/thread/530ed56d-7c84-4d13-8998-80a8bf142197)

C:\Program Files\Microsoft SQL Server\MSSQL.1\Reporting Services\ReportManager\RSWebApplication.config <—Default Location

<!– Replaced these two lines with the following 2 lines

<ReportServerUrl>

<ReportServerVirtualDirectory>ReportServer –>

<ReportServerUrl>http://reporting2005/ReportServer</ReportServerUrl>

<ReportServerVirtualDirectory></ReportServerVirtualDirectory>

Windows 2008

How to install and how to configure SQL Server 2005 Reporting Services on a computer that is running Windows Server 2008.

After All that, I Still have a 401.1 Error

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version.

For more information about the tool, read the tool overview “Kerberos SPN Generation Setup Tool”.  It is the online index of additional information about the Kerberos SPN Generation Setup Tool.

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Website are both created by Robert Lambrecht.

Advertisements
This entry was posted in Kerberos, Microsoft BI, Microsoft BI - Security - Kerberos, Security and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

5 Responses to Kerberos SPN Generation Setup Tool – SSRS 2005

  1. Pingback: Kerberos SPN Generation Setup Tool | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos SPN Generation Setup Tool – SSRS 2008 | FUTURESULTS, LLC Blog

  3. Martin G says:

    I wonder if the tool will work on servers / services that exist in my domain (SSRS, SSAS), but the SSAS “service account” is an another, but trusted domain. I get the following error during GENERATE… warning: no accounts found with samAccountName”. Ideas?

    • FUTURESULTS says:

      My understanding is that Kerberos does not work in cross domain setups. So if you have DOMAIN1 and DOMAIN2 (even trusted), this will not work.

    • FUTURESULTS says:

      The reason that you get the warning “no accounts found with samAccountName” is that the tool is looking for the account in the domain specified in the “Common Tab”. My guess is that your service account is in your other domain.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s