SQL 2008 Reporting Services Authentication

Question

In SQL 2005 Reporting services we were able to spoof a user when calling a report. This doesn't seem to work in 2008 and the technet articles that appear relevant seem to be implying that you need to create a seperate security extension( Technet Article )if you're wanting to expose reports to the internet. Is this what people are using in production? Or is this simpler than I'm makint it out to be?

Answer 1

Simple Solution

1. in the rsreportserver.config add in the the Windows Basic Authentication:
2. Install apache >= 2.2 in the same machine (use other port than 80 for ReportServer) or on a other machine
3. activate mod_prox_http
4. Create a Browser User for Reporting service (for example "reportusr" with password "this@yourMachinepassw0rd")

5. define in http.conf

   ProxyPass http:///ReportServer ProxyPassReverse http:///ReportServer AuthBasicFake reportusr this@yourMachinepassw0rd Order deny allow Allow from all

Now you can access the reportserver and all Reports over the apache Webserver with no authentication, because always the AuthBasicFake user connects to the reportServer with BasicAuthentication

Answer 2

Not sure what you mean by "spoof a user".

Every version of SSRS to date has used Windows Authentication as the default (and in fact the only "out of the box") authentication scheme. If you wanted to do Forms Authentication you have always had to write your own Custom Authentication Module.

I have done both in Production environments depending on the situation, and their sample is a very good place to start building your own custom auth module