Kerberos SPN Generation Setup Tool – SSRS 2008

The last post “Kerberos SPN Generation Setup Tool – SSRS 2005” reviewed how to enter information for a SQL Server Reporting Services 2005 instance.  This is a continuation of the series of blog posts “Kerberos SPN Generation Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Microsoft BI tools.  This post covers how to enter information into the tool for SQL Server Reporting Services 2008 (SSRS 2008) – the “SSRS2008 tab”.  You can download the Kerberos SPN Generation Setup Tool Beta at .

Draw a Picture

The first step is to always have a picture of the data flow.  How does the user get to the data from the browser?  A great security overview for this topic is: Planning for Services, Accounts, and Connections.


Application Server – Where the SSRS Instance is Installed.

Enter the information for the machine where SSRS 2008 is installed.  It is assumed that the database and SSRS 2008 instance are installed on different machines otherwise you wouldn’t need to do this delegation.

Some installations may have more than one SSRS instance installed.  Make sure to determine if the instance is the default instance (MSSQLSERVER) or a named instance.  You only need to specify the port number in cases where the port number is not the default port and you chose not to use a host header.  In other words, you would specify a port if you enter a url into a browser to get to an instance and the url would contain both the machine name and port number.


DNS Information – Host (A) Name Record / IIS – Host Header

In this example, we will use a host header A-Record.  For our example, “ReportMachine” will be the machine name where we have SSRS 2008 instances running.  For the instance that we are interested in, we will create an A-Record called “reporting”.  The A-Record will correspond to the Default SSRS Instance (MSSQLSERVER).

A host header is used to essentially specify the port number for the reporting services instance on the machine.  DNS / IIS redirects traffic with the Host (A) record name in the calling url to the appropriate port in the reporting services machine (and basically the appropriate reporting services instance).  Make sure to set up IIS to use Host Headers.  You do not need to specify the port number in the tool when you use a host header.  Also, for this example we are using the default port (another reason not to specify the port number).  Notice that now instead of using IIS (like in the SSRS 2005 setup), the host header can be set up directly in the Reporting Services Configuration Manager.


Reporting Server Information – Service Account

You can find the service account information by running the SSRS 2008 Reporting Services Configuration Manager.  Notice that there is now only one Service Account (instead of 2 like in SSRS 2005).

Service Account


Database Instance

Fill in the machine information where the relational data resides for the SSRS reporting services instance.  In our example, this will be the “sqldb” machine.  This machine will have multiple SQL Database instances running on it.  In fact, it could be a SQL Cluster.  Just use the Cluster Resource Group Name and the appropriate port number.  In our case port 20000 will correspond to the Named Database Instance “Instance2”.

The database service account can be found in the SQL Server Configuration Manager on the database machine.  Since we are accessing SQL Server relational data, we want to select the service account that corresponds to this.


Named Database Instance Note:

While the tool supports named instances, I have observed issues with named instances and the cluster manager.  Also, named instances are still relatively new as far as Kerberos is concerned.  You may observe issues with older applications and ODBC or OLE connection strings / drivers.  Active Directory 2003 may need a hotfix to enable named instances as well.

SSRS2008 Tab Completed

The screen shot below shows the SSRS2008 tab filled out for this example.


Note: While there are multiple service types, the default values (shown in column C) are typically used.  If the report went after cube data (SSAS), then the service type for the Database machine would be different.  See the Service Type drop down for details.


Upon completing the steps above, you should have a “Green” traffic light and the message shown above.  If the light is yellow, you haven’t completed all of the required information.  If you have the green light, you should be able to enter more information on other tabs (if needed) or generate SPNs back on the Main tab.  Delegation will be covered in a future post.  For now, the Delegation tab will show the default delegation that is suggested.

Other SSRS 2008 Tips and Tricks

In general, I see no reason to install a new instance of SSRS 2005 any longer.  SSRS 2008 is much easier to install and has better functionality.  When used with Windows Server 2008, it is also much faster.  While it is assumed that you have some background in setting up Kerberos, I have listed a few tips to check out for SSRS 2008 in Windows Server 2008.


This is now part of the Operating System and you do not need to address it separately.  The host header can be set up in the Reporting Services Wizard.

401.1 Error

You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version.

For more information about the tool, read the tool overview “Kerberos SPN Generation Setup Tool”.  It is the online index of additional information about the Kerberos SPN Generation Setup Tool.

What additional features would you like to see in a Kerberos SPN setup tool?  Leave your suggestions below.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Website are both created by Robert Lambrecht.

This entry was posted in Kerberos, Microsoft BI - Security - Kerberos, Security and tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

2 Responses to Kerberos SPN Generation Setup Tool – SSRS 2008

  1. Pingback: Kerberos SPN Generation Setup Tool | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos SPN Generation Setup Tool – SSAS 2008 | FUTURESULTS, LLC Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s