The last post “Kerberos SPN Generation Setup Tool – Common Tab” reviewed the first input section tab for required domain information. This is a continuation of the series of blog posts “Kerberos SPN Generation Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Microsoft BI tools. This post covers how to enter information in for SQL Server Reporting Services 2005 (SSRS 2005) – the “SSRS2005 tab”. You can download the Kerberos SPN Generation Setup Tool Beta at FUTURESULTS, LLC.
Draw a Picture
The first step is to always have a picture of the data flow. How does the user get to the data from the browser? The best security overview that I could find is: Planning for Services, Accounts, and Connections. While this overview is for SSRS 2008, it is similar to SSRS 2005. In SSRS 2005, IIS plays a role as well.
SPN Generation Tool – Required and Optional Information
If you want to set up a SSRS 2005 instance with Kerberos, then use this tab. For all input sections, required fields are denoted by the darker colored input field shading. Remember that the Common tab input information is also required.
Application Server – Where the SSRS Instance is Installed.
Enter the information for the machine where SSRS 2005 is installed. It is assumed that the database and SSRS 2005 instance are installed on different machines otherwise you wouldn’t need to do this delegation.
Some installations may have more than one SSRS instance installed. Make sure to determine if it is the default instance (MSSQLSERVER) or a named instance. You only need to specify the port number in cases where the port number is not the default port and you chose not to use a host header. In other words, you would specify a port if you enter a url into a browser to get to an instance and the url would contain both the machine name and port number.
DNS Information – Host (A) Name Record / IIS – Host Header
In this example, we will use a host header A-Record. For our example, “ReportMachine” will be the machine name where we have SSRS 2005 instances running. For the instance that we are interested in, we will create an A-Record called reporting2005. The A-Record will correspond to the RS2005 SSRS Instance.
A host header is used to essentially specify the port number for the reporting services instance on the machine. IIS redirects traffic with the Host (A) record name in the calling url to the appropriate port in the reporting services machine (and basically the appropriate reporting services instance). Make sure to set up IIS to use Host Headers. You do not need to specify the port number in the tool when you use a host header.
Reporting Server Information – Service Accounts
You can find the service account information by running the SSRS 2005 Reporting Services Configuration Manager.
Web Service Identity
Windows Service Identity
Fill in the machine information where the relational data resides for the SSRS reporting services instance. In our example, this will be the “sqldb” machine. This machine will have multiple SQL Database instances running on it. In fact, it could be a SQL Cluster. Just use the Cluster Resource Group Name and the appropriate port number. In our case port 20000 will correspond to the Named Database Instance “Instance2”.
The database service account can be found in the SQL Server Configuration Manager on the database machine. Since we are accessing SQL Server relational data, we want to select the service account that corresponds to this.
Named Database Instance Note:
While the tool supports named instances, I have observed issues with named instances and the cluster manager. Also, named instances are still relatively new as far as Kerberos is concerned. You may observe issues with older applications and ODBC or OLE connection strings / drivers. Active Directory 2003 may need a hotfix to enable named instances as well.
SSRS2005 Tab Completed
The screen shot below shows the SSRS2005 tab filled out for this example.
Note: While there are multiple service types, the default values (shown in column C) are typically used. If the report went after cube data (SSAS), then the service type would be different. See the Service Type drop down for details.
Upon completing the steps above, you should have a “Green” traffic light and the error message shown above. If the light is yellow, you haven’t completed all of the required information. If you have the green light, you should be able to enter more information on other tabs (if needed) or generate SPNs back on the Main tab. Delegation will be covered in a future post. For now, the Delegation tab will show the default delegation that is suggested.
Other SSRS 2005 Tips and Tricks
While it is assumed that you have some background in setting up Kerberos, I have listed a few tips to check out for SSRS 2005 with IIS 7 in Windows Server 2008.
http://support.microsoft.com/kb/953130 – (Do this for each SSRS 2005 instance – each “Reports” and “ReportServer” site)
Additionally, if you run Internet Information Services 7.0 set the useAppPoolCredentials attribute value to true in the ApplicationHost.config file. This file is located in the following folder: C:\Windows\System32\Inetsrv\Config
After you make the change in the ApplicationHost.config file, the useAppPoolCredentials attribute value should resemble the following:
<windowsAuthentication enabled=”true” useKernelMode=”true” useAppPoolCredentials=”true” />
If you used a host header (in our example it is “reporting2005” for the configuration items below)
C:\Program Files\Microsoft SQL Server\MSSQL.1\Reporting Services\ReportServer\rsreportserver.config
<!– <Replace this line with the line below
If you get the error message: The attempt to connect to the report server failed. Check your connection information and that the report server is a compatible version.
RSWebApplication.config – (http://social.msdn.microsoft.com/Forums/en-US/sqlreportingservices/thread/530ed56d-7c84-4d13-8998-80a8bf142197)
C:\Program Files\Microsoft SQL Server\MSSQL.1\Reporting Services\ReportManager\RSWebApplication.config <—Default Location
<!– Replaced these two lines with the following 2 lines
After All that, I Still have a 401.1 Error
What additional features would you like to see in a Kerberos SPN setup tool? Leave your suggestions below.