401 error, double hop issue
the pita...
we got 2 servers, both are win 2008; iis 7 win app (asp.net), ssrs+db on another (10.50.1600.1)
we got a web app that will invoke the ssrs web serive.
using ntlm
it worked fine if i test it on the web/app server
if i test from another pc/client, it failed with 401
i been digged through the net, gone through the help, all this telling me its the double hop issue with ntlm
I follow all the guides, ensure asp.net impersonate is on, auth are windows/ntlm
chk the config of the ssrs, using RSNego + RSNTLM
the ssrs is running with LocalSys
even test and trial with bunch of stuffs, nothing worked, the diff is I may get err 500 with a specific config test, but the rest are just come back 401
the only thin i didn't tried:
- using the admin script to set NTLM for all the web sites on ssrs
i don't want it affect any other sites, doesn't look correct way to do it
- the setspn
afaik, this only applicaple if i using specific nt domain acct, but the ssrs is running with localSys, I try with NetworkSvc but got issue with providing pwd, so i skip this NetworkSvc trial
I'm not the network admin, I presume the Kerberos is atwork. is there a way i test whether is the K is working?
May 22nd, 2011 10:42pm
You should be able to find out in the event viewer of the IIS server whether authentication is through Kerberos, but I doubt that's the case. Assuming NTLM, yes, you have a double hop issue. NTLM simply won't allow the user credentials to be passed beyond
the first hop. If you want to use Kerberos, you'll also need to setup delegation of identities to make sure identities can be delegated from IIS to SSRS. This would be a hard route because it requires domain admin privileges.
You can also just hard code one single user's credentials for access to the SSRS web service from IIS. This doesn't let you fine-tune your access permissions with the different users, but it does make your second hop another first hop, which eliminates your
problem. If you absolutely need to impersonate, then I'm afraid Kerberos is the only route.Cephas Lin This posting is provided "AS IS" with no warranties.
Free Windows Admin Tool Kit Click here and download it now
May 23rd, 2011 1:58pm
our sys admin has enable the trust delegation for the kerberos on the 2 servers over http services.
then i modified the ssrs config rsreportserver.config to test with only RSKerberos, or RSWindowsNTLM (2 diff setup)
but still no good, anonymous id is being used.
the next steps to diagnostic the kerberos thing is just plain tedious, as this a product we developing, we dont want customer to suffer over this.
our next plan, deploy ssrs same box as the web/app.
initial test result is positive.
we will stick to this workaround.
May 24th, 2011 6:09am