| Groups | Blog | Home |
sql server reporting services : Forms Authentication, LogonUser, and certificates
Here's the setup: We have thatken the forms authetication example and have modified it to suit our needs, and it works fine (no SSL at this point). Now, we want to make our application available over the Internet, so we have gotten a certificate from VeriSign and turned on SSL - the application works fine. The snag comes in with trying to access the Report Manager (even from the machine it is installed on). When I debug using Visual Studio, the problem occurs in the UILogin.aspx when calling the ReportingService's LogonUser class. The error that is reported is "The underlying connection was closed: Could not establish trust relationship with remote server." It seems like the cetificate is not being accepted by the reporting service. From reading this forum, I understand that the URL of the ReportingService object should be set to "https://<machine_name>/ReportServer/reportservice.asmx". However, our certificate from VeriSign has our production website name, which obviously does not match the machine name. Could this be causing the problem? If so, is there a way around this? We do NOT want the Report Manger available over the internet, just locally. A hokey solution is OK, as long as it keeps the Reporting Service secure. I anybody has any insights into this situation would be greatly appreaciated. Thanks,
Terry,
Is UseSSL in the the Report Manager RSWebApplication.config file on, such as: <UI> <CustomAuthenticationUI> <loginUrl>/Pages/UILogon.aspx</loginUrl> <UseSSL>True</UseSSL> </CustomAuthenticationUI> <!--Change the following line to reflect the computer name where RS is installed. DON NOT USE LOCALHOST--> <ReportServerUrl>http://MyRSServer/ReportServer</ReportServerUrl> </UI> Yes, it will be a good idea to move the Report Manager to a private subnet if you don't need it to be accessible on Internet. But I don't think this will solve your issue. In addition make sure your access the Report Manager by using the computer name where it is not installed, not localhost. -- Hope this helps. ---------------------------------------------- Teo Lachev, MCSD, MCT Author: "Microsoft Reporting Services in Action" http://www.manning.com/lachev Home page and blog http://www.prologika.com ---------------------------------------------- [quoted text, click to view] "Terry Romance" <tedgromance@yahoo.com> wrote in message news:f284ebe.0408231338.3fa07029@posting.google.com... > We are having an issue getting Report Manager to work with SSL. > Here's the setup: > > We have thatken the forms authetication example and have modified it > to suit our needs, and it works fine (no SSL at this point). Now, we > want to make our application available over the Internet, so we have > gotten a certificate from VeriSign and turned on SSL - the application > works fine. > > The snag comes in with trying to access the Report Manager (even from > the machine it is installed on). When I debug using Visual Studio, > the problem occurs in the UILogin.aspx when calling the > ReportingService's LogonUser class. The error that is reported is > "The underlying connection was closed: Could not establish trust > relationship with remote server." It seems like the cetificate is not > being accepted by the reporting service. From reading this forum, I > understand that the URL of the ReportingService object should be set > to "https://<machine_name>/ReportServer/reportservice.asmx". However, > our certificate from VeriSign has our production website name, which > obviously does not match the machine name. Could this be causing the > problem? If so, is there a way around this? > > We do NOT want the Report Manger available over the internet, just > locally. A hokey solution is OK, as long as it keeps the Reporting > Service secure. I anybody has any insights into this situation would > be greatly appreaciated. > > Thanks, > Terry Romance
Teo,
Thanks for the reply. I have SSL turned on, and here is the relevant section of the RSWebApplication.config file: <UI> <CustomAuthenticationUI> <loginUrl>/Pages/UILogin.aspx</loginUrl> <UseSSL>True</UseSSL> </CustomAuthenticationUI> <ReportServerUrl>https://<machine_name>/ReportServer</ReportServerUrl> </UI> (I have the actual machine name, not 'localhost') I also have the following in RSReportServer.config: <Add Key="SecureConnectionLevel" Value="3"/> I noticed in your post you had http: instead of https: - when I tried making that change in the RSWebApplication.config file, I received the following exception instead: "The operation you are attempting requires a secure connection (HTTPS)." So, I'm guessing that the https: is correct. Does my guess that it is a problem with the difference between the name in the config file and the name on the certificate that is causing the error? I can validate the user directly using my own code, but is there any way I could create a certificate on the fly and pass it to the Report Server so that it will then allow the user into the Report Manager? Currently we are stuck with switching back to Windows authentication or turning off SSL. Any ideas would be helpful at this point. Thanks, Terry [quoted text, click to view] "Teo Lachev" <teo@nospam.prologika.com> wrote in message news:<eeC9HLYiEHA.3876@TK2MSFTNGP12.phx.gbl>...
> Terry, > > Is UseSSL in the the Report Manager RSWebApplication.config file on, such > as: > > <UI> > <CustomAuthenticationUI> > <loginUrl>/Pages/UILogon.aspx</loginUrl> > <UseSSL>True</UseSSL> > </CustomAuthenticationUI> > <!--Change the following line to reflect the computer name where RS is > installed. DON NOT USE LOCALHOST--> > <ReportServerUrl>http://MyRSServer/ReportServer</ReportServerUrl> > </UI> > > Yes, it will be a good idea to move the Report Manager to a private subnet > if you don't need it to be accessible on Internet. But I don't think this > will solve your issue. > > In addition make sure your access the Report Manager by using the computer > name where it is not installed, not localhost. > > -- > Hope this helps. > > ---------------------------------------------- > Teo Lachev, MCSD, MCT > Author: "Microsoft Reporting Services in Action" > http://www.manning.com/lachev > Home page and blog http://www.prologika.com
Terry,
Yes, it should be https. I doubt that the problem is with the certificate. What does navigating to https://machine_name/reportserver give you? In addition, according to your explanation this error only happens with the Report Manager. Have you tried callling LogonUser from another application? Is the call successful? -- Hope this helps. ---------------------------------------------- Teo Lachev, MCSD, MCT Author: "Microsoft Reporting Services in Action" http://www.manning.com/lachev Home page and blog http://www.prologika.com ---------------------------------------------- [quoted text, click to view] "Terry Romance" <tedgromance@yahoo.com> wrote in message news:f284ebe.0408240416.130c778e@posting.google.com... > Teo, > > Thanks for the reply. I have SSL turned on, and here is the > relevant section of the RSWebApplication.config file: > > <UI> > <CustomAuthenticationUI> > <loginUrl>/Pages/UILogin.aspx</loginUrl> > <UseSSL>True</UseSSL> > </CustomAuthenticationUI> > <ReportServerUrl>https://<machine_name>/ReportServer</ReportServerUrl> > </UI> > > (I have the actual machine name, not 'localhost') > > I also have the following in RSReportServer.config: > > <Add Key="SecureConnectionLevel" Value="3"/> > > I noticed in your post you had http: instead of https: - when I tried > making that change in the RSWebApplication.config file, I received the > following exception instead: > > "The operation you are attempting requires a secure connection > (HTTPS)." > > So, I'm guessing that the https: is correct. > > Does my guess that it is a problem with the difference between the > name in the config file and the name on the certificate that is > causing the error? > > I can validate the user directly using my own code, but is there any > way I could create a certificate on the fly and pass it to the Report > Server so that it will then allow the user into the Report Manager? > Currently we are stuck with switching back to Windows authentication > or turning off SSL. > > Any ideas would be helpful at this point. > > Thanks, > Terry > > > "Teo Lachev" <teo@nospam.prologika.com> wrote in message news:<eeC9HLYiEHA.3876@TK2MSFTNGP12.phx.gbl>... > > Terry, > > > > Is UseSSL in the the Report Manager RSWebApplication.config file on, such > > as: > > > > <UI> > > <CustomAuthenticationUI> > > <loginUrl>/Pages/UILogon.aspx</loginUrl> > > <UseSSL>True</UseSSL> > > </CustomAuthenticationUI> > > <!--Change the following line to reflect the computer name where RS is > > installed. DON NOT USE LOCALHOST--> > > <ReportServerUrl>http://MyRSServer/ReportServer</ReportServerUrl> > > </UI> > > > > Yes, it will be a good idea to move the Report Manager to a private subnet > > if you don't need it to be accessible on Internet. But I don't think this > > will solve your issue. > > > > In addition make sure your access the Report Manager by using the computer > > name where it is not installed, not localhost. > > > > -- > > Hope this helps. > > > > ---------------------------------------------- > > Teo Lachev, MCSD, MCT > > Author: "Microsoft Reporting Services in Action" > > http://www.manning.com/lachev > > Home page and blog http://www.prologika.com > > ----------------------------------------------
Teo,
Thanks for your continuing help. When I navigate to "https://machine_name/reportserver", it redirects me to the Report Server's login screen (Login.aspx, not the Report Manager's login, which is UILogin.apsx). I am able to login successfully there - the validation is handled by my own DB lookup, it then calls FormsAuthentication.RedirectFromLoginPage if the user is verified. I did try connecting to the report manager from an externally (since I believed this would resolve any differences between the domain name I was connecting to, and the name on the certificate). In the debugger, execution seemed to hang on the LogonUser call, before it eventually returned the following message: "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." This is different from the message I received when trying to connect internally (the "trused connection" message). I never received any prompt message in IE running on the external machine to indicate that it was waiting for input. Does this help narrow down what the problem might be? I have not tried calling LogonUser from another application, but I will try doing that and post the results. Again, I appreciate all your help. Thanks, Terry [quoted text, click to view] "Teo Lachev" <teo@nospam.prologika.com> wrote in message news:<ekCmv1diEHA.3944@tk2msftngp13.phx.gbl>...
> Terry, > > Yes, it should be https. I doubt that the problem is with the certificate. > What does navigating to https://machine_name/reportserver give you? > > In addition, according to your explanation this error only happens with the > Report Manager. Have you tried callling LogonUser from another application? > Is the call successful? > -- > Hope this helps. > > ---------------------------------------------- > Teo Lachev, MCSD, MCT > Author: "Microsoft Reporting Services in Action" > http://www.manning.com/lachev > Home page and blog http://www.prologika.com > ----------------------------------------------
Teo,
I hope you are still out there monitoring this thread. I'm sorry, but we had another issue here that required my attention. I was finally able to try to code a small test application to call LogonUser. The result is the same: "The underlying connection was closed: Could not establish trust relationship with remote server." We are currently stuck with switching back to the original config files and Windows Authentication to access the Report Manager, and then going back to our custom security when we are done, but this is by no means a good long-term solution. At this point, I'll welcome any suggestion or experiment to try. Thanks in advance. - Terry [quoted text, click to view] > "Teo Lachev" <teo@nospam.prologika.com> wrote in message news:<ekCmv1diEHA.3944@tk2msftngp13.phx.gbl>...
> > Terry, > > > > Yes, it should be https. I doubt that the problem is with the certificate. > > What does navigating to https://machine_name/reportserver give you? > > > > In addition, according to your explanation this error only happens with the > > Report Manager. Have you tried callling LogonUser from another application? > > Is the call successful? > > -- > > Hope this helps. > > > > ---------------------------------------------- > > Teo Lachev, MCSD, MCT > > Author: "Microsoft Reporting Services in Action" > > http://www.manning.com/lachev > > Home page and blog http://www.prologika.com > > ----------------------------------------------
Terry,
Check these threads: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&q=%22The+underlying+connection+was+closed%3A+Could+not+establish+trust+relationship+%22&btnG=Search In addition, if you use client certificates review this: This article was previously published under Q318103 SYMPTOMS Note The following .NET Framework Class Library namespaces are referenced in this article: System.Web.Services System.Security.Cryptography.X509Certificates When you try to pass a client certificate from an ASP.NET page to a Web service that requires Secure Sockets Layer (SSL) and client certificates, you receive the following error message: 403 Access Denied CAUSE A certificate is associated with the user ID of the user who installed the certificate (this is the certificate user); therefore, the certificate is available only when that user profile is loaded. If no one is logged on to the computer, or if a user other than the certificate owner is logged on, the certificate is not accessible. If you access the Web service .asmx file from a browser that passes the certificates to you, you do not encounter this problem. The following ASP.NET code fails when calling SimpleServices, which expects a client certificate: public void Submit_HelloWorldClick(Object sender, EventArgs E) { // Instantiate the proxy class for the web service SimpleService service = new SimpleService(); // Pass in credentials using NTLM service.Credentials = CredentialCache.DefaultCredentials; // Load the client certificate from a file X509Certificate x509 = X509Certificate.CreateFromCertFile(@"c:\user_der.cer"); service.ClientCertificates.Add(x509); // Call the service Result.Text = service.HelloWorld(); } RESOLUTION To resolve this issue, invoke the Web service from a Serviced Component, and use a Microsoft Windows service to automatically load the profile of the certificate user so that the Serviced Component can retrieve the client certificate and then communicate with the Web service over SSL. 1.. Create a Windows service program with only one function to run under the certificate user identity. 2.. Create a Serviced Component that runs under the identity of the certificate user. 3.. Move the authentication code from the ASP.NET application to the Serviced Component. Verify that the Serviced Component runs under the identity of the certificate user. 4.. Call the Serviced Component method from the ASP.NET Web application. STATUS This behavior is by design. -- Hope this helps. ----------------------------------------------------- Teo Lachev, MCSD, MCT Author: "Microsoft Reporting Services in Action" Publisher website: http://www.manning.com/lachev Buy it from Amazon.com: http://shrinkster.com/eq Home page and blog: http://www.prologika.com/ ----------------------------------------------------- [quoted text, click to view] "Terry Romance" <tedgromance@yahoo.com> wrote in message news:f284ebe.0409131008.e9801ec@posting.google.com... > Teo, > > I hope you are still out there monitoring this thread. I'm > sorry, but we had another issue here that required my attention. > > I was finally able to try to code a small test application to > call LogonUser. The result is the same: "The underlying connection > was closed: Could not establish trust relationship with remote > server." > > We are currently stuck with switching back to the original config > files and Windows Authentication to access the Report Manager, and > then going back to our custom security when we are done, but this is > by no means a good long-term solution. At this point, I'll welcome > any suggestion or experiment to try. > > Thanks in advance. > > - Terry > > > "Teo Lachev" <teo@nospam.prologika.com> wrote in message news:<ekCmv1diEHA.3944@tk2msftngp13.phx.gbl>... > > > Terry, > > > > > > Yes, it should be https. I doubt that the problem is with the certificate. > > > What does navigating to https://machine_name/reportserver give you? > > > > > > In addition, according to your explanation this error only happens with the > > > Report Manager. Have you tried callling LogonUser from another application? > > > Is the call successful? > > > -- > > > Hope this helps. > > > > > > ---------------------------------------------- > > > Teo Lachev, MCSD, MCT > > > Author: "Microsoft Reporting Services in Action" > > > http://www.manning.com/lachev > > > Home page and blog http://www.prologika.com > > > ---------------------------------------------- > > >
Basically, you have to disable certificate checking for the RM application.
You do this by writing a custom certificate checker and just ignoring errors in that checker. You can make this part of your UILogon code. Hope this helps. --Carlos [quoted text, click to view] "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message news:uWfcNndmEHA.512@TK2MSFTNGP10.phx.gbl... > Terry, > > Check these threads: > http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&q=%22The+underlying+connection+was+closed%3A+Could+not+establish+trust+relationship+%22&btnG=Search > > In addition, if you use client certificates review this: > > This article was previously published under Q318103 > SYMPTOMS > Note The following .NET Framework Class Library namespaces are referenced in > this article: > > System.Web.Services > System.Security.Cryptography.X509Certificates > > When you try to pass a client certificate from an ASP.NET page to a Web > service that requires Secure Sockets Layer (SSL) and client certificates, > you receive the following error message: > > 403 Access Denied > CAUSE > A certificate is associated with the user ID of the user who installed the > certificate (this is the certificate user); therefore, the certificate is > available only when that user profile is loaded. If no one is logged on to > the computer, or if a user other than the certificate owner is logged on, > the certificate is not accessible. > > If you access the Web service .asmx file from a browser that passes the > certificates to you, you do not encounter this problem. > > The following ASP.NET code fails when calling SimpleServices, which expects > a client certificate: > public void Submit_HelloWorldClick(Object sender, EventArgs E) > { > // Instantiate the proxy class for the web service > SimpleService service = new SimpleService(); > > // Pass in credentials using NTLM > service.Credentials = CredentialCache.DefaultCredentials; > > // Load the client certificate from a file > X509Certificate x509 = > X509Certificate.CreateFromCertFile(@"c:\user_der.cer"); > > service.ClientCertificates.Add(x509); > > // Call the service > Result.Text = service.HelloWorld(); > } > RESOLUTION > To resolve this issue, invoke the Web service from a Serviced Component, and > use a Microsoft Windows service to automatically load the profile of the > certificate user so that the Serviced Component can retrieve the client > certificate and then communicate with the Web service over SSL. > 1.. Create a Windows service program with only one function to run under > the certificate user identity. > 2.. Create a Serviced Component that runs under the identity of the > certificate user. > 3.. Move the authentication code from the ASP.NET application to the > Serviced Component. Verify that the Serviced Component runs under the > identity of the certificate user. > 4.. Call the Serviced Component method from the ASP.NET Web application. > STATUS > This behavior is by design. > > -- > Hope this helps. > > ----------------------------------------------------- > Teo Lachev, MCSD, MCT > Author: "Microsoft Reporting Services in Action" > Publisher website: http://www.manning.com/lachev > Buy it from Amazon.com: http://shrinkster.com/eq > Home page and blog: http://www.prologika.com/ > ----------------------------------------------------- > > "Terry Romance" <tedgromance@yahoo.com> wrote in message > news:f284ebe.0409131008.e9801ec@posting.google.com... > > Teo, > > > > I hope you are still out there monitoring this thread. I'm > > sorry, but we had another issue here that required my attention. > > > > I was finally able to try to code a small test application to > > call LogonUser. The result is the same: "The underlying connection > > was closed: Could not establish trust relationship with remote > > server." > > > > We are currently stuck with switching back to the original config > > files and Windows Authentication to access the Report Manager, and > > then going back to our custom security when we are done, but this is > > by no means a good long-term solution. At this point, I'll welcome > > any suggestion or experiment to try. > > > > Thanks in advance. > > > > - Terry > > > > > "Teo Lachev" <teo@nospam.prologika.com> wrote in message > news:<ekCmv1diEHA.3944@tk2msftngp13.phx.gbl>... > > > > Terry, > > > > > > > > Yes, it should be https. I doubt that the problem is with the > certificate. > > > > What does navigating to https://machine_name/reportserver give you? > > > > > > > > In addition, according to your explanation this error only happens > with the > > > > Report Manager. Have you tried callling LogonUser from another > application? > > > > Is the call successful? > > > > -- > > > > Hope this helps. > > > > > > > > ---------------------------------------------- > > > > Teo Lachev, MCSD, MCT > > > > Author: "Microsoft Reporting Services in Action" > > > > http://www.manning.com/lachev > > > > Home page and blog http://www.prologika.com > > > > ---------------------------------------------- > > > > > >
Carlos,
Thanks for the reply. If it makes a difference, we are NOT using client certificates. Excuse me for asking, but I am relatively new with Reporting Services, Visual Studio .NET, SSL and certificates, and I have no idea how to disable certificate checking, much less write my own. Do you have an example, or know a location on the web that might have one? Thanks, Terry [quoted text, click to view] "Carlos C Tapang" <ctapang@centerus.com> wrote in message news:<u##uaRzmEHA.2680@TK2MSFTNGP15.phx.gbl>...
> Basically, you have to disable certificate checking for the RM application. > You do this by writing a custom certificate checker and just ignoring errors > in that checker. You can make this part of your UILogon code. > > Hope this helps. > > --Carlos
Teo,
Thank you for the reply. I think I have read each of those posts you link to several times each, to no avail, but I will keep digging through them. We are not using client certificates in our application. I have been trying something different lately - linking to the reporting service from a different machine using the URL that matches the one on the certificate we were issued by VeriSign. I think I managed to get around the "could not established trusted connection" error, but am now getting SOAP errors. When I get more specific details, I will post them here. Thanks against for your continuing assistance. - Terry [quoted text, click to view] "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message news:<uWfcNndmEHA.512@TK2MSFTNGP10.phx.gbl>...
> Terry, > > Check these threads: > http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&q=%22The+underlying+connection+was+closed%3A+Could+not+establish+trust+relationship+%22&btnG=Search > > In addition, if you use client certificates review this: > > (snip)
Terry,
I don't know what it's causing your grief. I have implemented Forms Authentication over SSL and didn't have a problem. Have you tried create a sample web service on that box and calling it just to eliminate RS? -- Hope this helps. ----------------------------------------------------- Teo Lachev, MCSD, MCT Author: "Microsoft Reporting Services in Action" Publisher website: http://www.manning.com/lachev Buy it from Amazon.com: http://shrinkster.com/eq Home page and blog: http://www.prologika.com/ ----------------------------------------------------- [quoted text, click to view] "Terry Romance" <tedgromance@yahoo.com> wrote in message news:f284ebe.0409200920.4627cee3@posting.google.com... > Teo, > > Thank you for the reply. I think I have read each of those posts > you link to several times each, to no avail, but I will keep digging > through them. > > We are not using client certificates in our application. > > I have been trying something different lately - linking to the > reporting service from a different machine using the URL that matches > the one on the certificate we were issued by VeriSign. I think I > managed to get around the "could not established trusted connection" > error, but am now getting SOAP errors. When I get more specific > details, I will post them here. > > Thanks against for your continuing assistance. > > - Terry > > "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message news:<uWfcNndmEHA.512@TK2MSFTNGP10.phx.gbl>... > > Terry, > > > > Check these threads: > > http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&q=%22The+underlying+connection+was+closed%3A+Could+not+establish+trust+relationship+%22&btnG=Search > > > > In addition, if you use client certificates review this: > > > > (snip) > >
Teo,
Thanks, I will give that a try, which might not be for awhile - we just ran into major performance issues. (We had 10 people try to bring up reports at once, and I think it broke our Forms Authentication - cookies seemed to disappear!) Anyway, I hope you'll still be monitoring this when I get back to checking this issue. Thanks again for all your help. - Terry [quoted text, click to view] "Teo Lachev" <teo.lachev@nospam.prologika.com> wrote in message news:<Od#tw23nEHA.3628@TK2MSFTNGP09.phx.gbl>...
> Terry, > > I don't know what it's causing your grief. I have implemented Forms > Authentication over SSL and didn't have a problem. Have you tried create a > sample web service on that box and calling it just to eliminate RS? > > -- > Hope this helps. > > ----------------------------------------------------- > Teo Lachev, MCSD, MCT > Author: "Microsoft Reporting Services in Action" > Publisher website: http://www.manning.com/lachev > Buy it from Amazon.com: http://shrinkster.com/eq > Home page and blog: http://www.prologika.com/ > -----------------------------------------------------
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |