ReportingService2005 via WCF - works with impersonation, but not with username / password

Question

ReportingService2005 via WCF - works with impersonation, but not with username / password

I am connecting to the SSRS 2008 ReportingService2005 reporting service through WCF.

I have a work with impersonation like this:

ReportingService2005SoapClient rService = new ReportingService2005SoapClient("endpoint config name", "the url"); rService.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation; rService.ChannelFactory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;

But when I try to give it a specific username / password, like this:

 rService.ChannelFactory.Credentials.Windows.ClientCredential = new NetworkCredential(username, password, domain);

I get this error on the first method call:

An HTTP request is not authorized using the 'Ntlm client authentication scheme. The authentication header received from the server was "NTLM".

Here is the relevant part of my wcf binding configuration:

 <basicHttpBinding> <binding name="ReportingService2005Soap" ... blah blah blah ... messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true"> <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" /> <security mode="TransportCredentialOnly"> <transport clientCredentialType="Ntlm" proxyCredentialType="Ntlm" realm=""/> <message clientCredentialType="UserName" algorithmSuite="Default" /> </security> </binding> </basicHttpBinding>

I am confused by the error message that mentions Ntlm in two different cases.

So the question is which of the two squillion different WCF settings do I need to bother to get this to work? :)

edit: here is the authentication bit from RSReportServer.config from the SSRS server:

 <Authentication> <AuthenticationTypes> <RSWindowsNegotiate/> <RSWindowsNTLM/> </AuthenticationTypes> <EnableAuthPersistence>true</EnableAuthPersistence> </Authentication>

and from SSRS web.config:

 <authentication mode="Windows" />

edit: For now, I will show the best answer, but it is still open, because I have not yet found a solution that allows me to set arbitrary credentials in the code.

+4

c # sql-server credentials wcf reporting-services

codeulike 12 sept '11 at 15:29

source share

3 answers

Change the attribute values of the transport element to:

 <transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />

Hope this helps ...

+1

kroonwijk 15 sept. '11 at 21:37

source share

Build around it by specifying:

 client.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Impersonation;

+1

karamazov1 Dec 6 '11 at 17:01

source share

Shiraz bhaiji · Accepted Answer · 2011-09-15T22:58:00+0000

OK new attempt.

WCF runs on IIS, SSRS uses Windows authentication.

When you have Windows authentication, it works because it uses the Windows security context.

When using the username and password, the IIS user is used. Which does not have access to SSRS.

So, to make it work:

Set imersonate = false in the WCF services security section of web.config.
This will force him to use the identity of the application pool.
Then change the identity of the application pool to a user who has access to SSRS

ReportingService2005 via WCF - works with impersonation, but not with username / password

More articles: