Geek Answers Handbook

SSRS Report Viewer + Credentials ASP.NET 401 Exception

I have a report saved on SQL2005 report server and I want to return the PDF rendering of this report. I understood this when working with the local * .rdlc file ( and I wrote about it ), but not when *. rdl is on the report server. I get error 401 Not Authorized in line ...

reportViewer.ServerReport.SetParameters(reportDefinition.ReportParameters);

The report rendering method is used here.

 public byte[] Render(IReportDefinition reportDefinition) { var reportViewer = new ReportViewer(); byte[] renderedReport; try { var credentials = new WindowsImpersonationCredentials(); reportViewer.ServerReport.ReportServerUrl = new Uri("http://myssrsbox", UrlKind.Absolute); reportViewer.ServerReport.ReportServerCredentials = credentials; reportViewer.ServerReport.ReportPath = reportDefinition.Path; // Exception is thrown on the following line... reportViewer.ServerReport.SetParameters(reportDefinition.ReportParameters); string mimeType; string encoding; string filenameExtension; string[] streams; Warning[] warnings; renderedReport = reportViewer.ServerReport.Render(reportDefinition.OutputType, reportDefinition.DeviceInfo, out mimeType, out encoding, out filenameExtension, out streams, out warnings); } catch (Exception ex) { // log the error... throw; } finally { reportViewer.Dispose(); } return renderedReport; }

Another thing you are missing is the WindowsImpersonationCredentials class.

 public class WindowsImpersonationCredentials : IReportServerCredentials { public bool GetFormsCredentials(out Cookie authCookie, out string userName, out string password, out string authority) { authCookie = null; userName = password = authority = null; return false; } public WindowsIdentity ImpersonationUser { get { return WindowsIdentity.GetCurrent(); } } public ICredentials NetworkCredentials { get { return null; } } public override string ToString() { return String.Format("WindowsIdentity: {0} ({1})", this.ImpersonationUser.Name, this.ImpersonationUser.User.Value); } }

Other things you might need ...

  • This works on the intranet and impersonation is enabled.
  • Logging indicates that the impersonation user is configured correctly.
  • This one works when working in Visual Studio ( http://localhost:devport ), and it works when working in my development area ( http://localhost/myApplication ). It does not work when working on our test or production servers.
  • I tried solutions both with system.net.defaultProxy settings and without them in web.config. None worked.

What am I doing wrong? Is this a server setup? Is this a code? Is this web.config?

+7
reporting-services
source share
2 answers

We finally figured out the problem. Our network administrators disabled the double jump, so while the impersonation was correctly connected as domain\jmeyer , the application was still trying to connect to the SRS box using domain\web01$ . Why is he so tuned? Because a double jump is a massive security hole. (Or so they told me. Does it sound like something you would read on The Daily WTF ?)

Our solution was to create a common user domain\ssrs_report_services and connect to this user with the following network credentials

 public class CustomCredentials : IReportServerCredentials { public bool GetFormsCredentials(out Cookie authCookie, out string userName, out string password, out string authority) { authCookie = null; userName = password = authority = null; return false; } public WindowsIdentity ImpersonationUser { get { return null; } } public ICredentials NetworkCredentials { get { return new NetworkCredential("ssrs_report_services", "password", "domain") ; } } }

The above is a classic sample solution that you can find on all the internet.

+5
source share

A double jump is allowed - swith on Kerberos authentication ... (as long as it works correctly!)

+2
source share

More articles:


All Articles