Testing SQL Report environment
Hi,
SQL Server 2008 Express R2 is actually deployed on my computer. From SQL Server Management Studio, I actually connect to Server using default Server name and Windows Authentication.
I've also bought Paul Turley's "SQL Server 2008 Reporting Services" book. To test if Reporting Services is well deployed, this book suggest to enter the following URL from within Internet Explorer:
http://localhost/reports_SQLEXPRESS
Which I did. It gives me a login window. As I configured SQLServer 2008 with Windows authentication, I finally don't know what infos to give for Username and password.
Can someone help?
Thanks in advance.
May 16th, 2011 4:03pm
Hallo Stephane,
what error message will you get with the following request:
http://localhost/reportserver_SQLExpressUwe Ricken
MCIT Database Administrator 2005
MCIT Database Administrator 2008
MCTS SQL Server 2005
MCTS SQL Server 2008, Implementation and Maintenance
db Berater GmbH
http://www-db-berater.de
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2011 7:04am
Hi,
You can give your Administrator credentials.MSBI Developer
May 17th, 2011 7:29am
Hi Uwe,
I've typed "http://localhost/reportserver_SQLExpress" from IE9 and got a login window. I specified my name (which btw is specified as administrator on my computer and also as a user connection
for SQL Server 2008 Express R2) but without any pasword considering that this login to SQL Server is using no password but rather "windows authentication". This is as far as I can get... Can you help?
BTW, I remember having seen once a window about intranet authorisation or not. What is this for?
Just sad that I can't include any "printscreen" of what I actually have on screen...
Stéphane
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2011 9:47pm
You have to enter a valid password as well. Please try that and let us know.
May 17th, 2011 10:15pm
Hi Shahfaisal,
As stated in my earlier post, I log to SQL Server using windows authentication. So, unless there is something I do not understand, I do not specify any password.
Using SQL Server Management Studio, when I look at Security/Logins, I can see the login name I'm using and can confirm it is configured for "Windows Authentication". No password is specified for this login.
Am I missing something?
As a recall, I'm using SQL Server 2008 R2 Express edition. My O/S is VISTA SP2 Ultimate edition. The account I'm using is configured as administrator.
THanks for helping,
Stéphane
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2011 11:35pm
You won't be able to get in if you don't provide a password. Once you are in, go to Internet Options > Security > click on Custom Level and under User Authentication check the option Automatic logon with current username and password
to avoid the login prompt in the future.
May 18th, 2011 8:13am
Hi again,
1. I changed IE9 options following your advice. I changed Internet Options ->Options -> Security -> User Authentication
I changed it to "Automatic logon with current username and password"
(in french: "Connexion automatique avec le nom d'utilisateur et le mot de passe actuel"
Originally this same item was set to "Automatic logon only in intranet zone" (sorry if bad translation...)
(in french: "Connexion automatique uniquement dans la zone intranet")
Question: Before going on, after replacing this option, can you tell me what change I should see while using IE9 (behavior, security, etc.)?
2. Once option replaced, I then tried again under IE9:
a.
http://localhost/reports_SQLEXPRESS b. "http://localhost/reportserver_SQLExpress"
Both now give me an error telling that my username doesn't have sufficient privileges (rsAccessDenied).
BTW, actually using SLQ Server Management Studio, my username has the following server roles checked:
- public
- sysadmin
Where should I go next?
THanks again for helping.
Stéphane
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2011 10:23am
SSRS security is different from SQL Server security.It doesn't really matter if you have sysadmin rights on SQL Server, you need to have rights to SSRS server.
It seems that you don't have sufficient rights on the report server. Can you right-click IE and do a "Run as Administrator"?
May 18th, 2011 10:35am
Hi again,
As suggested, I ran IE9 as "administrator" and tried again:
http://localhost/reports_SQLEXPRESS
I have a page displayed with "SQL Server Report Services" + "Dossier racine" (probably "Root folder" in English) as page title along with a couple of menu items
"Nouveau Dossier", "Nouvelle source de données", "Paramètres du dossier", "Télécharger un fichier" (probably "New folder", "New datasource", "Folder parameters", "File transfer" in English). It also reports that I don't have
any element in root folder. Sounds good to me!
http://localhost/reportserver_SQLExpress
This one is displaying "localhost/ReportServer_SQLEXPRESS - /" along with "Version 10.50.1600.1 de Microsoft SQL Server Reporting Services". Sounds good
too!
In conclusion, I would say that my SQL Server Reporting Services environment is working correctly. Isn't it?
Now, considering the fact I could get results only while running IE as administrator, if I ever run C# apps which produce reports invoking this SS2008 Report server, will it work without problem or will I have to use special settings?
Thanks again for helping,
Stéphane
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2011 11:41am
Glad to be helpful.
When you run IE as administrator, give yourself and the required users/groups
the required permissions on all the reports/folders and you should be good to go.
May 18th, 2011 12:01pm
Hi again,
To be honest, I'm not quite familiar with this technology. That is why I bought books to learn more about it. I already programmed a few C#/C++ apps but didn't experiment any reports invoking Report Server yet.
Excuse if my question is silly, but when my C#/C++ app "call" a report related to Report Server is that same report displayed using IE or simply within my C# app's "reportviewer" window?
If it is from IE, it means that my C# app will have to start IE in administrator mode. Isn't it? How to do it? I definitely don't have a clue...
Finally, when you say "give the required permissions on all reports/folders" can you elaborate?
Thanks again for helping,
Stéphane
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2011 12:18pm
It depends on how you design your C#/C++ application. I'd suggest you to first get your feet wet with Reporting Services architecture and then dive deep as needed.
To get you started with security, refer to the following articles -
http://technet.microsoft.com/en-us/library/aa337491(SQL.90).aspx
http://searchsqlserver.techtarget.com/tip/Managing-permissions-in-SQL-Server-Reporting-Services
I hope that helps.
May 18th, 2011 12:30pm
Hi again,
Many thanks for helping out. I will certainly do my homeworks and learn more about those settings.
As I did so far using other programming platforms, I would certainly like to build applications which will manage everything from the "inside". What I mean is that I would like reports definition to be embedded within application not
"saved" within SQL Server itself. Most of the people/customers I'm dealing with do not have any computer department but deal instead with external firms for any problems/needs they have. Because of that, I must deliver applications that are
easy to deal with and which require minimum configuration as possible.
If you have any recommendation or articles regarding this kind of setup, please let me know!
I think we can now close this case. I could finally accomplish my first goal which was to verify that my Report Server environment was settled properly. Which is finally the case.
Thanks again for helping,
Stéphane
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2011 1:18pm
create a new user account in you server.
access to your http://localhost/reports_SQLEXPRESS (as admin user), in the site configuration set your new user and assign some privileges.
go to home(in http://localhost/reports_SQLEXPRESS) then access the folder config in the security section set the new user and assign privileges.
now when you access your report you can use another user and the contained folders will take this privileges configuration too.
I´m not sure if it affects your previous deployed reports and datasources, you could double check this or delete them and redeploy your project.
NOTE: in ssrs configuration manager, Execution section you can set a user and password who will be used to report execution.
look for "ssrs config manager" from your start menu.
if you activate this options all request will be executed as this user, it has to be a valid pc or domain user.
finally from your c# proyect you can configure network credentials with your new user account to access a report through internet.
good luck.
me.
May 18th, 2011 1:21pm
Hi ImegaI,
I've started IE 9 as administrator, then typed http:://localhost/reports_SQLEXPRESS.
- In "Paramètres du site", within "Securité" tab, I created my user account with all privileges checked:
- System Administrator
- System user
- Finally, going back to main screen, in "Paramètres du dossier", I created again my same user account with the following privileges checked:
- Browser
- Content Manager
- My Reports
- Publisher
- Report Builder
When deploying application on customer's site, does it mean I will have to create, if none were already created, those same accounts?
Now for the next part, involving SSRS Configuration manager, I completely lost you. Can you elaborate? Where can I find it?
Thanks for helping,
Stéphane
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2011 4:17pm
Hi again,
One question which is still unanswered. As a recall, as suggested, I changed IE9 options regarding login procedures.
I went through Internet Options ->Options -> Security -> User Authentication then changed it to "Automatic logon with current username and password"
(in french: "Connexion automatique avec le nom d'utilisateur et le mot de passe actuel")
Originally this same item was set to "Automatic logon only in intranet zone" (sorry if bad translation...)
(in french: "Connexion automatique uniquement dans la zone intranet")
My question was: After replacing this option, can you tell me what will be the impact when using IE9 (behavior, security, etc.)?
Checking setup on other computers, I could conclude that "Automatic logon only in intranet zone" (sorry again if bad translation...)
(in french: "Connexion automatique uniquement dans la zone intranet") was the default setting?
Thanks again for helping,
Stéphane
May 18th, 2011 4:28pm
My question was: After replacing this option, can you tell me what will be the impact when using IE9 (behavior, security, etc.)?
I believe it should be the same. Users using IE9 should be able to get in without the login prompt.
Free Windows Admin Tool Kit Click here and download it now
May 18th, 2011 6:06pm
hi,
this security configuration is to grant access to your pc/network/domain users, and it´s still good for a few users.
since your goal it´s is to provide the reports through your own web application(i presume),
my recomendation is:
Set your own security layer in you web app(meaning you have to create a user, pass, role/rights management).
then you can use this only one new user(in ssrs server) to access all the reports (again managing all the security and privileges in your own app)
how? overriding your network credentials(in your web app) with this "ssrs user" name and password.
this way every request you make to the ssrs service will be identified as a valid user.
the note you were lost at was to execute all reports with only one account wich you have to configure in the ssrs configuration manager itself.
you can find it in your ssrs server start (windows) -> all programs-> mssql server 2008 r2-> configuration tools -> reporting service configuration manager.
it has an "execution account" section, there you can set your "For all reports requests" user account and you will be no ask for privileges at ssrs anymore,
but datasources can be set with credentials, and this can be in your way, so be careful with the way you use it.
by the way: i´m not an expert in ssrs i just though i had a clue about what you wanna do.
i hope this helps.me.
May 19th, 2011 12:48pm
Hi ImegaI,
BTW, I expect to build only windows apps not web apps. Does it make a difference when assigning credentials? I don't know. Maybe you can tell.
I'm not familiar in setting any security layer within an app, neither overriding network credentials in that same app. Any good article I could read?
When I create/build my windows application, do I still need to assign it that same user account? Or whenever it calls a "built-in" report, will it at this moment use the global user account created in #1?
I would like to open a parenthesis.
Normally access to my apps is controlled by using a username and password. Each user is configured with a "profile" indicating what he/she can/cannot do within application. The way I control access is very "granular". I mean, as an example,
my user might be able to add/modify "customers" but not delete any of them. I could also allow him/her to print a specific report but not another one. You probably get the picture.
By configuring my profiles this way, I can easily name an "administrator" who, with minimum knowledge, can control access to the application.
Parenthesis closed!
To get back to your instructions, I would conclude that assigning security to control access of my windows applications is maybe useless in my case. Your opinion?
So, if my understanding is ok, what I finally have to do:
- create a global user account in Windows. I specify all privileges I need for this account.
- Normally, if I use that same account to run all my apps, I must give it the following privileges:
- run application itself without
any other rights (move, delete, rename, etc...).
- rights to write/update any database
files. Can it presents security problems?
- I understand that I will have to set
privileges for each and every files accessed by my global account
(including program itself
as well as database files). How is it done for SQL Server database files?
- assigning in SSRS that same user account/profile for all reports
- Configure SSRS so that it runs reports for every users without exception. If my understanding is OK, what I must do:
1- start (windows) -> all programs-> mssql server 2008 r2-> configuration tools ->
reporting service configuration manager
2- Use this new account in SQL Server 2008 R2 Reporting Services Manager/Execution Account.
- execute all my windows apps using that same specific user account.
What would be the best way to do it? I know how to run it as an administrator.
How can I run those same apps but using a specific user account?!? I honestly don't know.
Is my understanding still ok?
Finally, in SSR2 Configuration Manager, what is the "service" account used for? Must I configure it too? What is the difference between that account and the "execution" account?
Sorry for so many questions. I'm really new to all this.
Thanks for your help and patience.
Stéphane
Free Windows Admin Tool Kit Click here and download it now
May 20th, 2011 2:15am
Hi Stephane,
For a new question, please post it in a new thread. It will benefit other community members who have the similar issue with you.
For more information about Service Account and Execution Account, please refer to these articles below:
http://msdn.microsoft.com/en-us/library/ms189964.aspx
http://msdn.microsoft.com/en-us/library/ms181156.aspx
Thanks,
Bin Long
May 25th, 2011 11:38pm
Hi Stephane,
For a new question, please post it in a new thread. It will benefit other community members who have the similar issue with you.
For more information, please refer to these articles below:
Service Account (Reporting Services Configuration)
Execution Account (Reporting Services Configuration)
Thanks,
Bin Long
Free Windows Admin Tool Kit Click here and download it now
May 25th, 2011 11:39pm
sorry for the spagetti but it´s too large to consider it one alone question...
Hi ImegaI,
BTW, I expect to build only windows apps not web apps. Does it make a difference when assigning credentials? I don't know. Maybe you can tell.
i think there is nothing different, since you are actually creating an app wich later will consume a service, and for that purpouse your app must make a "login" to that service(ssrs)
I'm not familiar in setting any security layer within an app, neither overriding network credentials in that same app. Any good article I could read?
Since my approach was more a web one my intention was to provide you a shortcut for that purpouse membership and role are more an asp matter.
When I create/build my windows application, do I still need to assign it that same user account? Or whenever it calls a "built-in" report, will it at this moment use the global user account created in #1?
you are using a "report viewer" usercontrol with properties where you set server, report path, user and password, those properties can be set at design or runtime, once you set that properties you can call that "configured user has rights to request".
I would like to open a parenthesis.
Normally access to my apps is controlled by using a username and password. Each user is configured with a "profile" indicating what he/she can/cannot do within application. The way I control access is very "granular".
I mean, as an example, my user might be able to add/modify "customers" but not delete any of them. I could also allow him/her to print a specific report but not another one. You probably get the picture.
By configuring my profiles this way, I can easily name an "administrator" who, with minimum knowledge, can control access to the application.
Parenthesis closed!
the abobe text describes well what a security layer is =)
To get back to your instructions, I would conclude that assigning security to control access of my windows applications is maybe useless in my case. Your opinion?
i don´t follow you in this comment, but i cant tell you to use or not a secure access in your app, that is something you must choose.
So, if my understanding is ok, what I finally have to do:
- create a global user account in Windows. I specify all privileges I need for this account.
- Normally, if I use that same account to run all my apps, I must give it the following privileges:
- run application itself without any other rights (move, delete, rename, etc...).
- rights to write/update any database files. Can it presents security problems?
- I understand that I will have to set privileges for each and every files accessed by my global account
(including program itself as well as database files). How is it done for SQL Server database files?
- assigning in SSRS that same user account/profile for all reports
- Configure SSRS so that it runs reports for every users without exception. If my understanding is OK, what I must do:
1- start (windows) -> all programs-> mssql server 2008 r2-> configuration tools -> reporting service configuration manager
2- Use this new account in SQL Server 2008 R2 Reporting Services Manager/Execution Account.
- execute all my windows apps using that same specific user account.
What would be the best way to do it? I know how to run it as an administrator.
How can I run those same apps but using a specific user account?!? I honestly don't know.
Is my understanding still ok?
you need a windows user account of course
you will need to grant access and privileges to that user in your ssrs
the account you use to access your sql can be configured in the datasource in your report project
that same specific user account it is what i meant for "overriding network credentials" as you use a specific user to access the service it can be the same in the actual windows session or another one.
Finally, in SSR2 Configuration Manager, what is the "service" account used for? Must I configure it too? What is the difference between that account and the "execution" account?
when you put your http://server:8080/reports/ in your browser, you challenge a user password pop up from ssrs, then if you configure this execution account, this account will challenge ssrs for any
access request( comming from your browser or your windows app)
Sorry for so many questions. I'm really new to all this.
Thanks for your help and patience.
Stéphane
i hope this helps.me.
June 2nd, 2011 7:42pm
sorry for the spagetti but it´s too large to consider it one alone question...
Hi ImegaI,
BTW, I expect to build only windows apps not web apps. Does it make a difference when assigning credentials? I don't know. Maybe you can tell.
i think there is nothing different, since you are actually creating an app wich later will consume a service, and for that purpouse your app must make a "login" to that service(ssrs)
I'm not familiar in setting any security layer within an app, neither overriding network credentials in that same app. Any good article I could read?
Since my approach was more a web one my intention was to provide you a shortcut for that purpouse membership and role are more an asp matter.
When I create/build my windows application, do I still need to assign it that same user account? Or whenever it calls a "built-in" report, will it at this moment use the global user account created in #1?
you are using a "report viewer" usercontrol with properties where you set server, report path, user and password, those properties can be set at design or runtime, once you set that properties you can call that "configured user has rights to request".
I would like to open a parenthesis.
Normally access to my apps is controlled by using a username and password. Each user is configured with a "profile" indicating what he/she can/cannot do within application. The way I control access is very "granular".
I mean, as an example, my user might be able to add/modify "customers" but not delete any of them. I could also allow him/her to print a specific report but not another one. You probably get the picture.
By configuring my profiles this way, I can easily name an "administrator" who, with minimum knowledge, can control access to the application.
Parenthesis closed!
the abobe text describes well what a security layer is =)
To get back to your instructions, I would conclude that assigning security to control access of my windows applications is maybe useless in my case. Your opinion?
i don´t follow you in this comment, but i cant tell you to use or not a secure access in your app, that is something you must choose.
So, if my understanding is ok, what I finally have to do:
- create a global user account in Windows. I specify all privileges I need for this account.
- Normally, if I use that same account to run all my apps, I must give it the following privileges:
- run application itself without any other rights (move, delete, rename, etc...).
- rights to write/update any database files. Can it presents security problems?
- I understand that I will have to set privileges for each and every files accessed by my global account
(including program itself as well as database files). How is it done for SQL Server database files?
- assigning in SSRS that same user account/profile for all reports
- Configure SSRS so that it runs reports for every users without exception. If my understanding is OK, what I must do:
1- start (windows) -> all programs-> mssql server 2008 r2-> configuration tools -> reporting service configuration manager
2- Use this new account in SQL Server 2008 R2 Reporting Services Manager/Execution Account.
- execute all my windows apps using that same specific user account.
What would be the best way to do it? I know how to run it as an administrator.
How can I run those same apps but using a specific user account?!? I honestly don't know.
Is my understanding still ok?
you need a windows user account of course
you will need to grant access and privileges to that user in your ssrs
the account you use to access your sql can be configured in the datasource in your report project
that same specific user account it is what i meant for "overriding network credentials" as you use a specific user to access the service it can be the same in the actual windows session or another one.
Finally, in SSR2 Configuration Manager, what is the "service" account used for? Must I configure it too? What is the difference between that account and the "execution" account?
when you put your http://server:8080/reports/ in your browser, you challenge a user password pop up from ssrs, then if you configure this execution account, this account will challenge ssrs for any
access request( comming from your browser or your windows app)
Sorry for so many questions. I'm really new to all this.
Thanks for your help and patience.
Stéphane
i hope this helps.me.
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2011 7:42pm