Displaying SSRS Reports
-
hello all. I've got a ssrs 2008 question that has been bugging me for a couple of months. I have built a site for my HR department that takes in applications. HR takes the information and needs to send it to Directors and Supervisors in an application-style form. I was planning on using SSRS mainly because I can just render the application in a pdf by just using the url, which HR could just email to whomever they want to. This would all work fine if all of our HR employees were on the same domain, but they are not and the system admins for some of the domains don't want to build a trust to us, so I can't just tie their domain account to the security of the application report (some of our sites may not even have people on domains). What I was looking for was a way to have an account on the server itself be the one to run the report so that the user wasn't prompted for login credentials when they looked up an application.
-
hello all. I've got a ssrs 2008 question that has been bugging me for a couple of months. I have built a site for my HR department that takes in applications. HR takes the information and needs to send it to Directors and Supervisors in an application-style form. I was planning on using SSRS mainly because I can just render the application in a pdf by just using the url, which HR could just email to whomever they want to. This would all work fine if all of our HR employees were on the same domain, but they are not and the system admins for some of the domains don't want to build a trust to us, so I can't just tie their domain account to the security of the application report (some of our sites may not even have people on domains). What I was looking for was a way to have an account on the server itself be the one to run the report so that the user wasn't prompted for login credentials when they looked up an application.
If you are using the server component of SSRS then I'm pretty sure you cannot allow anonymous connections, valid credentials are (should) always required by an internal server. However there is no reason you can't host the reports in a separate aspx application using the internal app credentials to contact the server. You could also change the reports to RDLC and embed them in an aspx application where the app fetches the data and supplies the viewer the RDLC file and the dataset, this requires the aspx app to have database credentials but not the end user. Both solutions are terribly insecure and you need to carefully consider the business implications.
Never underestimate the power of human stupidity RAH
-
hello all. I've got a ssrs 2008 question that has been bugging me for a couple of months. I have built a site for my HR department that takes in applications. HR takes the information and needs to send it to Directors and Supervisors in an application-style form. I was planning on using SSRS mainly because I can just render the application in a pdf by just using the url, which HR could just email to whomever they want to. This would all work fine if all of our HR employees were on the same domain, but they are not and the system admins for some of the domains don't want to build a trust to us, so I can't just tie their domain account to the security of the application report (some of our sites may not even have people on domains). What I was looking for was a way to have an account on the server itself be the one to run the report so that the user wasn't prompted for login credentials when they looked up an application.
This is a tricky situation, all these different domains have to build some kind trust or all the users who would be accessing these reports can be moved to a different domain altogether which you can use in your application. In that case you can give access to the users of this New domain. There is not shortcut here which can resolve this, either you use trusted users or use a proxy user to fetch reports for all the users consuming these reports. Hope it helps... With kudos, Pradeep
-
This is a tricky situation, all these different domains have to build some kind trust or all the users who would be accessing these reports can be moved to a different domain altogether which you can use in your application. In that case you can give access to the users of this New domain. There is not shortcut here which can resolve this, either you use trusted users or use a proxy user to fetch reports for all the users consuming these reports. Hope it helps... With kudos, Pradeep
Using a proxy user, how would I do that? Could I use a service account on the server to run those reports?
-
Using a proxy user, how would I do that? Could I use a service account on the server to run those reports?
Yes...that's how you can achieve it. Meanwhile I got one more option in case if you are using SQL Server 2008 R2, you can create a subscriber database for the users who would access these reports and link all of them with your reports...this is something you can try....I would post some more details once I get more insight on this.... http://msdn.microsoft.com/en-us/library/ms169673.aspx[^] with kudos, Pradeep
-
Yes...that's how you can achieve it. Meanwhile I got one more option in case if you are using SQL Server 2008 R2, you can create a subscriber database for the users who would access these reports and link all of them with your reports...this is something you can try....I would post some more details once I get more insight on this.... http://msdn.microsoft.com/en-us/library/ms169673.aspx[^] with kudos, Pradeep
that crossed my mind, but would that work if I'm using form auth?
-
that crossed my mind, but would that work if I'm using form auth?
Yes it would...no issues with that.. ASP.NET - Forms authentication user impersonation[^] there are plenty of other ways too to impersonate... With kudos, Pradeep
modified on Monday, August 8, 2011 3:59 PM
-
that crossed my mind, but would that work if I'm using form auth?
I was not able to edit the existing reply...here is sample code: Use this in the web.config: <forms name="Testproject" path="/" loginUrl="~/Login.aspx" protection="All" timeout="20" requireSSL="false" slidingExpiration="true" defaultUrl="Home.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" /> </authentication> <authorization> <deny users="?"/> </authorization> <identity impersonate="true" userName="domain\user" password="xyz@123"/> with kudos, Pradeep
-
I was not able to edit the existing reply...here is sample code: Use this in the web.config: <forms name="Testproject" path="/" loginUrl="~/Login.aspx" protection="All" timeout="20" requireSSL="false" slidingExpiration="true" defaultUrl="Home.aspx" cookieless="UseDeviceProfile" enableCrossAppRedirects="false" /> </authentication> <authorization> <deny users="?"/> </authorization> <identity impersonate="true" userName="domain\user" password="xyz@123"/> with kudos, Pradeep
No offense, but most production systems that I've ever worked on would consider embedding a password in plain text in a file, a security violation and not allow it. Even if that file is on a server with access permissions. :)
Chris Meech I am Canadian. [heard in a local bar] In theory there is no difference between theory and practice. In practice there is. [Yogi Berra] posting about Crystal Reports here is like discussing gay marriage on a catholic church’s website.[Nishant Sivakumar]
-
No offense, but most production systems that I've ever worked on would consider embedding a password in plain text in a file, a security violation and not allow it. Even if that file is on a server with access permissions. :)
Chris Meech I am Canadian. [heard in a local bar] In theory there is no difference between theory and practice. In practice there is. [Yogi Berra] posting about Crystal Reports here is like discussing gay marriage on a catholic church’s website.[Nishant Sivakumar]
I agree Chris..this was just to show how impersonation can be done using Forms authentication. This section can be easily encrypted using one of these methods: http://msdn.microsoft.com/en-us/library/zhhddkxy.aspx[^] Thanks for raising the point tough... with kudos, Pradeep