Reporting Services 2008 - Anonymous Access
Hello, In SSRS 2005 I was able to grant anonymous access to my reports by changing the authentication mode for the Reporting Services virtual directory in IIS to Anonymous and then adding the 'account used for anonymous access' to the permissions on the appropriate Reporting Services directories (in report manager). Now with SSRS 2008 thereare no virtual directories in IIS. I tried to follow the instructions given: http://technet.microsoft.com/en-us/library/cc281310.aspx(Authentication Types in Reporting Services) Which instructed me to use the custom AuthenticationType, and following the instructions here: http://technet.microsoft.com/en-us/library/cc281383.aspx(How to: Configure Custom or Forms Authentication in Reporting Services) which just got mean error: The Authentication Extension threw an unexpected exception or returned a value that is not valid: . (rsAuthenticationExtensionError) Get Online Help For more information about this error navigate to the report server on the local server machine, or enable remote errors Any ideas on how to set up anonymous access to SSRS2008? Thanks for any time and help! -Tim
October 14th, 2008 12:08am

I have this issue also, so hopefully someone willpost ananswer soon. -Scott
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2008 12:54am

Refer to http://blogs.msdn.com/jameswu/archive/2008/07/15/anonymous-access-in-sql-rs-2008.aspx
October 14th, 2008 12:59am

Thanks Neeraja for your response... I will attempt an implementation on a Virtual Machine. Though, I do notfeel comfortablecircumventing security features that Microsoft implemented in their SSRS 2008 product ( based on the first few paragraphs of your blog: http://blogs.msdn.com/jameswu/archive/2008/07/15/anonymous-access-in-sql-rs-2008.aspx) Let mesuggest a discussion point: I am having trouble understanding why Microsoft would eliminate any way of providing reports (view only) to anonymous users. Lets say a web developer(not an application developer) at my company wants to add a link to a static public web page thatgenerates a PDFof the current Schedule of Events Report based on information in a SQL database. We were previously able to do something like that using SSRS 2005. What does Microsoft/others suggest as a solution in such a case? Thank everyone for any and all help! -Tim
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2008 2:19am

Hi Tim, I am interested in your SSRS 2005 solution. Using IIS anonymous authentication, were you able to enable administrative capabilitieson certain accounts? The custom authentication extension solution in SSRS2008 can provide view only experience if the auth extension is coded that way. However I am trying to think of how you can enable an admin account in SSRS2008 and SSRS2005. Thanks! James, Oct. 13, 2008
October 14th, 2008 3:36am

James, I am not quite sure this will answer your question but here is how I setup my anonymous SSRS 2005 solution: 1) Standard install of SSRS 2005 (Integrated authentication) 2) In IIS, duplicate the ReportingServices virtual directoryand name itPublic 3) Under Public properties setDirectory Security - Authentication and Access Control -to Enable Anonymous access using the IUSR_<machine_name> account. Uncheck all other access types. 4) Using the report manager, set up a folder named Public, and added the IUSR_<machine_name> account to the Public directory role manager with a viewonly role. (Assuming you have already established a viewonly role as one with only the 'view reports' task enabled.) 5) Add any other types of administrative/developeraccounts NOTE: The public role only views reports directly from the public virtual directory via a URL. All developers and admins work with the public directory through the Report Manager or ReportingService directory (deploying reports etc.) Hope this helps. This is what I was hoping to be able to do in SSRS 2008... -Tim
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2008 6:50pm

Hi James, We are in a similar situation. Our servers are hosted offsite by a internet hosting company. We have two servers (Web and SQL servers). Currently, we have have two virtual IIS sites to RS 2005 using two ports on the SQL server. Port 83 is anonymous so that users can run the reportsfrom our web application (ASP 1.1 on Web server)in the internet. Port 85 is for administration (deployment of reports)and it is windowsauthenticated. We want to do the same setup in RS 2008. How can we do this with minimal change? Thanks
October 14th, 2008 7:06pm

It looks like what you have in common is a duplicate RM (report manager) virtual directory that have anonymous auth enabled. The problem is that in SSRS2008 you cannot duplicate virtual directories like you were able to on a general web server such as IIS. Unfortunately there isn't an easy alternative in SSRS2008. If you can afford to install a second instance and configure a web farm, you can make the second instance anonymous. Another solution is to create a front end application using the viewer control, and enable anonymous authentication there. I am not sure what we can do for SSRS2008. Please open an issue on http://connect.microsoft.com/. Let me know which route you decided to take.
Free Windows Admin Tool Kit Click here and download it now
October 14th, 2008 11:18pm

James, I have duplicated the ReportingServices virtual directory in SSRS 2005 as I do not care to have the public doing any browsing/managing of reports. But, regardless, your second paragraph describes the the SSRS 2008 conclusion that I have been coming to. I was in the processes of setting up a second instance of SSRS 2008 as discussed by Neeraja in his third post of this thread when I abandon it in favor of the idea of a public front end application using the Microsoft Report Viewer 2008 SP1 (09.00.30729.01). I assume this one is compatible with SSRS 2008. The idea being to create a default .net application in a 'PublicReporting' virtual directory which will be a simple implementation of the Report Viewer with the ability to accept the name of the public report, report parameters, and possibly any rendering options as POST/GET variables of the referring URL. In my case the report viewer default application will only display reports from a 'Public' folder on the Reporting Services Server, it will connect using the most restricted account available, and the account will only have access to that 'Public' folder. Any links or samples of report viewer code would be greatly appreciated, especially any that deal with authentication to SSRS 2008. If successful I will post my modest solution to the thread. Thanks for all help! -Tim
October 15th, 2008 2:53am

Tim I tried your solution worked great for a day. The next day I keep getting js error like'RsClientController' is undefinedand'ClientControllerReportViewerControl' is null or not an objectthe reports are being published directly from visual studio. I don't edit the code.Any idea about what is causing this error?Thanks
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2008 5:54pm

I was able to mimic anonymous access via the application pool security credentials and report viewer inside my application.Here are the steps: I create a new user in my Windows 2008 server. (i.e. ReportingServices) Created a classic application pool, and assigned the identity execution to my new ReportingServices account in the server Associated the ReportingServices credential to a browser role inside the report server (http://localhost/Reports) for the report being rendered inside my asp.net application using the report viewer. (Folders above reports are still locked, so no browsing allowed) Disabled prompting for report parameters and desabled default values for paramters (can't render report from portal now) Set default parameter values via the parameter array of my report viewer. associated ASP.Net application to application pool being ran by my ReportingSevices credentials Successfully impersonated user in reporting services hence implementing quasi anonymous access. Hope this helps someone.
January 2nd, 2009 7:31pm

J C,Thanks for the detailed instructions!Worked fine for me.MP
Free Windows Admin Tool Kit Click here and download it now
January 16th, 2009 5:48am

JC, I try to apply the different step. I have a new user specific for the browse, i associed the ReportingServices credential to a browser role, but i don't not where we can set the parameter array and where i can associated ASP.NET application to application pool. have i to go in IIS ?? Thank for your reply ?Crafty
February 3rd, 2009 7:51pm

Yes, under IIS, there is an Application Pools section, expand that, find the application pool you assigned to your web application hosting your reports, and ensure that application pool's credetntials are the same you assigned to your browser role's account.In my case, I have an application at http://JC-VS2008/enGaugedTraining That enGaugedTraining virtual directory in IIS is being ran using the enGaugedTrainigAppPool clasic application pool, that assigned pool is using myJC-VS2008\ReportingServices credentials, so when the web application runs using the report viewer control, it uses the web applciation's credentials (via the app pool) to run the report, and since that credential is part of the role "browse" VOILA! you get impersonatedanonymous access. The parameter array is the list of parameters in the report which has been published, edit the report using the report server instance (in my case http://JC-VS2008/Reportsand select parameters, choose hide, and also uncheck "default" values if any for each parameter. This locks the report and prevents anyone outside the web application from running the report.J.C.
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2009 8:17pm

JC,Thank you for your reply. It's help me to set correct paramters for the reports.Finally i associated my associated ASP.NET to the application pool where i put the local user (right Browse in the report Manager).Now when i browse the report i have to prompt credentials. When i use the local user, i get the report correctly. But i would like not to have to prompt credential when i click on the link from my web application. I made a response.Redirect on the website and i used a specific user (who has the right browse) as you mentionned. Crafty.
February 4th, 2009 2:53pm

Ensure that inside the same folder, you create a shared data source with the impersonated user having security for it. Associate the report's data source with that new data source (and not the embedded one). When integrating the report from the application, make sure you use report viewer, and pass the parameter array to it. also The report pathin my case would be: http://JC-VS2008/Reports/Folder/ReportName?Parameters etc... the ReportViewer URL would be http://JC-VS2008/ReportServer/ Good luck
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2009 6:16pm

JC,thanks for your instructions.refer to your step 2, my problem is my intranet server and the sql server are separated. So is it means that i need to create a application pool on the intranet server? or sql server? yuen
February 20th, 2009 12:55pm

The application pool has to be on the server where ther web application hosting the reports is located. If you create a domain account, or an account that access to both servers, you should be able to give that account access to the sql server hosting the reportserver and reportservertempdb databases. In a escaled out scenario, you could intall reporting services portal on the web server, (DMZ)yet have the reporting services databases intalled in the sql server in the SQL server, configure the report server to run the dB of the sql server in the LAN. When configuring it, you should be able to set that accoutn with read access to the report server databases, and when the web application runnin under that app pool credentials loads the report, it will use the default credentials from the app pool
Free Windows Admin Tool Kit Click here and download it now
February 21st, 2009 2:53am

JC, Thanks for your reply. But i still no idea which server i need to create the application pool.for my case, my reportserver is in my sql server, i deployed all my reports to my sql server, and then i call the reports fromthe code which hosted at the web server. For reporting service 2005, i set the anonymouse access at the sql server -->IIS -->Reports.. and then it works. At my web server, i have a application pool "DefaultAppPool" which my web application "HR" belong to. but theapplication "HR" just have the code to call the reports,not ".rdl" files in this folder, all reports wasdeployed to the sql server. so i think i should set the application pool identity at the sql server, but at the sql server, via the IIS,i can not find any applications, where i can find he web application and assigned it to use the application pool which i created?
March 2nd, 2009 11:55am

JC,I check the solution on net and get following:----First create a class called ReportServerCredentials that implements the IReportServerCredentials interface. You will need to import System.Net and Microsoft.Reporting.WebForms to this class. Overload the New and GetFormsCredentials methods and the NetworkCredentials and ImpersonationUser properties. Here's a class that I use:Imports Microsoft.VisualBasicImports Microsoft.Reporting.WebFormsImports System.NetPublic Class ReportServerCredentials Implements IReportServerCredentials Private _userName As String Private _password As String Private _domain As String Public Sub New(ByVal userName As String, ByVal password As String, ByVal domain As String) _userName = userName _password = password _domain = domain End Sub Public ReadOnly Property ImpersonationUser() As System.Security.Principal.WindowsIdentity Implements Microsoft.Reporting.WebForms.IReportServerCredentials.ImpersonationUser Get Return Nothing End Get End Property Public ReadOnly Property NetworkCredentials() As ICredentials Implements Microsoft.Reporting.WebForms.IReportServerCredentials.NetworkCredentials Get Return New NetworkCredential(_userName, _password, _domain) End Get End Property Public Function GetFormsCredentials(ByRef authCookie As System.Net.Cookie, ByRef userName As String, ByRef password As String, ByRef authority As String) As Boolean Implements Microsoft.Reporting.WebForms.IReportServerCredentials.GetFormsCredentials userName = _userName password = _password authority = _domain Return Nothing End FunctionEnd ClassNext, in the OnLoad of your page with the ReportViewer control, create a new instance of your ReportServerCredentials (I use values stored in AppSettings). Then assign your object to the ReportViewer control's ServerReport.ReportServerCredentials property. Dim cred As New ReportServerCredentials(ConfigurationManager.AppSettings("MyStoredUser"),_ ConfigurationManager.AppSettings("MyStoredPassword"), _ ConfigurationManager.AppSettings("MyStoredDomain")) MyReportViewerControl.ServerReport.ReportServerCredentials = cred---I try it but get following errorCompiler Error Message: BC30002: Type 'IReportServerCredentials' is not defined.Do you think it is a possible way for Reporting Service 2008? if yes, what lead to the error? thanks in advance.
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2009 12:04pm

Can you please tell me step by step how you used to carry out the Anonymous access task in SQL 2005. I am absolutely clueless about it. Will be great if you could tell me step by step... This is really urgent.Thanks.
May 24th, 2009 11:08am

Is not access to SQL 2005, but to Reporting Services wihtin SQL 2008/2005. The first post in this thread tells you the steps for anonymous access to Reporting Services in 2005. Enable anonymous access in the web application (IIS) rendering the reports, and give that account browser access to the report in Reporting Services via the portal (i.e. http://localhost/Reports )
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2009 12:53am

Sitting with the same problem Has Microsoft not yet learnt their lesson from VISTA Give the people what they want They can develop a service pack to enable Anonymous Access, but they wont They think they know what you need This same problem has been asked to be rectified since 2005 My AA reports where running fine with 2005 My initial test of 2008 is brilliant work guys It`s a pity that disabling AA went and messed up the product I work for a government department and we have six servers to upgrade My report will state We will be sticking to 2005 Lets hope and pray the developers get a patch out to correct this Cheers
July 7th, 2009 11:05am

James not all guys are as learned So a request to all Guys Put down detailed instructions for the novice from A to Z Or have a seperate web site detailing all your instructions
Free Windows Admin Tool Kit Click here and download it now
July 7th, 2009 11:08am

RubSay It all lies in your Internet Information Server The Web Sites ,Default Web Site , Report Server and Reports You have to go to properties of each on Choose directory security And edit the anonymous access
July 8th, 2009 12:47pm

J C, Thanks for the helpful info. I'm attempting to configure SSRS 2008 with anonymous access using the technique you described above. I'll admit I'm a bit of a novice but I thought I understood the concept of what you outlined. Apparently, I'm missing something, however, because I can't seem to get it to work. One possibility, however, is that our application is a php application, not a .net application. I'm wondering if that makes any difference. I've configured the php web app pool to impersonate the windows account that has access to the report server folders. In the php page, we have a query which selects a list of reports from the ReportServer.Catalog table using some filter criteria to narrow the list of available reports. Each report is presented as a link. By clicking the link and providing the proper credentials, the user will open the report viewer and run the report. We are trying to eliminate the credentials prompt and go straight to the report viewer but nothing seems to work. I'm not thrilled with enabling anonymous access completely but rather impersonate it using your described method. Any suggestions would be GREATLY appreciated! Doug
Free Windows Admin Tool Kit Click here and download it now
June 19th, 2010 7:30pm

Jakes, In ReportServer 2008, the Virtual Directories do not appear within IIS, otherwise Im sure we would've all figured it out by now :) eHusband
August 13th, 2010 3:16am

Hi Tim, I configured your anonymous SSRS 2005 solution and it is working, but I still have a little issue. Did you try to pass parameters via URL? I tried in the same way as you can do it in the report server. Example: http://servername/public/Pages/Report.aspx?ItemPath=/Public/ReportName&rs:Command=Render&rc:parameters=false&ParameterName=ParameterValue It opens the report but it does not recognize the parameters specified in the url and it does not hide the parameters section. So, I will appreciate if you or somebody else have found a solution for that. Thanks
Free Windows Admin Tool Kit Click here and download it now
September 3rd, 2010 11:02pm

Hi, I resolved my problem, I had the "Public" virtual directory mapping to the Report Manager with anonymous access such as Tim mentioned in his SSRS 2005 solution, but the Report Manager does not recognize the parameters sent by URL, then I mapped the "Public" virtual directory to the Report Server instead of Report Manager and it worked!!!. Now, I have my reports working with anonymous access and I can call them using URLs. Regards
September 14th, 2010 9:31pm

J C, how would I modify your method to apply to the ReportServer only and leave Reports as is?
Free Windows Admin Tool Kit Click here and download it now
March 19th, 2011 5:19pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics