| Groups | Blog | Home |
sql server reporting services : Security Troubleshooting?
documentation was wonderful for 2005 and it answered all of our questions. Our main reporting page should allow all users of a group to browse, but it no longer seems to accept the integrated security login for access. It ends up giving them the HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials error. What's the best place to start looking to fix this error? I've re-run the config tool and checked all teh security settings on the current pool and virtual directories but get the same errors on those users. Administrators of the box and domain can continue to use the site. very strange.
The domain security group has permission on the reportserver in the
browser role. It's possibly a file permission issue but the reportserver web directories already have the reportingserviceswebserviceuser and the reportserveruser listed as having read and execute. [quoted text, click to view] Ben Watts wrote:
> and did you give the specific group certain permissions on the actual report > server? The group on the domain has certain permissions but you also have > to grant them more permissions via the report server. > > "Aaron Haley" <aaronhaley@gmail.com> wrote in message > news:1154376085.930951.193280@i42g2000cwa.googlegroups.com... > > We just migrated from 2000 to 2005 on a new box. The migration > > documentation was wonderful for 2005 and it answered all of our > > questions. Our main reporting page should allow all users of a group to > > browse, but it no longer seems to accept the integrated security login > > for access. It ends up giving them the HTTP Error 401.1 - Unauthorized: > > Access is denied due to invalid credentials error. What's the best > > place to start looking to fix this error? I've re-run the config tool > > and checked all teh security settings on the current pool and virtual > > directories but get the same errors on those users. Administrators of > > the box and domain can continue to use the site. very strange. > >
We had a similar problem, but it was because the admins had access to
read\write to a specific file or folder and everyone else did not have those permissiosn. Might want to check folder and file access permissions. [quoted text, click to view] "Aaron Haley" <aaronhaley@gmail.com> wrote in message news:1154376085.930951.193280@i42g2000cwa.googlegroups.com... > We just migrated from 2000 to 2005 on a new box. The migration > documentation was wonderful for 2005 and it answered all of our > questions. Our main reporting page should allow all users of a group to > browse, but it no longer seems to accept the integrated security login > for access. It ends up giving them the HTTP Error 401.1 - Unauthorized: > Access is denied due to invalid credentials error. What's the best > place to start looking to fix this error? I've re-run the config tool > and checked all teh security settings on the current pool and virtual > directories but get the same errors on those users. Administrators of > the box and domain can continue to use the site. very strange. >
and did you give the specific group certain permissions on the actual report
server? The group on the domain has certain permissions but you also have to grant them more permissions via the report server. [quoted text, click to view] "Aaron Haley" <aaronhaley@gmail.com> wrote in message news:1154376085.930951.193280@i42g2000cwa.googlegroups.com... > We just migrated from 2000 to 2005 on a new box. The migration > documentation was wonderful for 2005 and it answered all of our > questions. Our main reporting page should allow all users of a group to > browse, but it no longer seems to accept the integrated security login > for access. It ends up giving them the HTTP Error 401.1 - Unauthorized: > Access is denied due to invalid credentials error. What's the best > place to start looking to fix this error? I've re-run the config tool > and checked all teh security settings on the current pool and virtual > directories but get the same errors on those users. Administrators of > the box and domain can continue to use the site. very strange. >
The problem lies with Windows Server 2003 SP1!!!
to resolve, pls refer to http://support.microsoft.com/kb/896861/ I found something that might help. [quoted text, click to view] "Aaron Haley" <aaronhaley@gmail.com> wrote in message news:1154380614.659010.277720@i3g2000cwc.googlegroups.com... > The domain security group has permission on the reportserver in the > browser role. It's possibly a file permission issue but the > reportserver web directories already have the > reportingserviceswebserviceuser and the reportserveruser listed as > having read and execute. > > Ben Watts wrote: >> and did you give the specific group certain permissions on the actual >> report >> server? The group on the domain has certain permissions but you also >> have >> to grant them more permissions via the report server. >> >> "Aaron Haley" <aaronhaley@gmail.com> wrote in message >> news:1154376085.930951.193280@i42g2000cwa.googlegroups.com... >> > We just migrated from 2000 to 2005 on a new box. The migration >> > documentation was wonderful for 2005 and it answered all of our >> > questions. Our main reporting page should allow all users of a group to >> > browse, but it no longer seems to accept the integrated security login >> > for access. It ends up giving them the HTTP Error 401.1 - Unauthorized: >> > Access is denied due to invalid credentials error. What's the best >> > place to start looking to fix this error? I've re-run the config tool >> > and checked all teh security settings on the current pool and virtual >> > directories but get the same errors on those users. Administrators of >> > the box and domain can continue to use the site. very strange. >> > >
I haven't tried that yet but I might. The application pool account
doesn't seem to be trusted by the AD for kerberos delegation. The server is checked for delegation and the application pol security is using a domain account, if I don't use a domain account I get this... The request failed with HTTP status 401: Unauthorized. Sounds the exact same as a problem on the MSDN SQLRS forum that someone else was having. I shouldn't need to edit the SPN with setspn since I'm trying to connect to the local AD DNS server name should I? Very strange. [quoted text, click to view] Ben Watts wrote:
> The problem lies with Windows Server 2003 SP1!!! > > to resolve, pls refer to http://support.microsoft.com/kb/896861/ > > I found something that might help. > > > "Aaron Haley" <aaronhaley@gmail.com> wrote in message > news:1154380614.659010.277720@i3g2000cwc.googlegroups.com... > > The domain security group has permission on the reportserver in the > > browser role. It's possibly a file permission issue but the > > reportserver web directories already have the > > reportingserviceswebserviceuser and the reportserveruser listed as > > having read and execute. > > > > Ben Watts wrote: > >> and did you give the specific group certain permissions on the actual > >> report > >> server? The group on the domain has certain permissions but you also > >> have > >> to grant them more permissions via the report server. > >> > >> "Aaron Haley" <aaronhaley@gmail.com> wrote in message > >> news:1154376085.930951.193280@i42g2000cwa.googlegroups.com... > >> > We just migrated from 2000 to 2005 on a new box. The migration > >> > documentation was wonderful for 2005 and it answered all of our > >> > questions. Our main reporting page should allow all users of a group to > >> > browse, but it no longer seems to accept the integrated security login > >> > for access. It ends up giving them the HTTP Error 401.1 - Unauthorized: > >> > Access is denied due to invalid credentials error. What's the best > >> > place to start looking to fix this error? I've re-run the config tool > >> > and checked all teh security settings on the current pool and virtual > >> > directories but get the same errors on those users. Administrators of > >> > the box and domain can continue to use the site. very strange. > >> > > >
Dang. Finally!! The problem was that the SQL server was running under a
domain account. So RS only worked when the app pool was running under a domain account but then only for domain admins. I needed a SPN for the SQL server as well. Use setspn.exe to list SPNs registered to domain user "SQLUser": setspn.exe -L DOMAIN\SQLUser To add a SQL SPN: setspn.exe -A MSSQLSvc/SQLSERVER.domain.com:1433 DOMAIN\SQLUser {Assigns SQN SQL instance on port 1433 to DOMAIN user "SQLUser"} [quoted text, click to view] Aaron Haley wrote:
> I haven't tried that yet but I might. The application pool account > doesn't seem to be trusted by the AD for kerberos delegation. The > server is checked for delegation and the application pol security is > using a domain account, if I don't use a domain account I get this... > The request failed with HTTP status 401: Unauthorized. > Sounds the exact same as a problem on the MSDN SQLRS forum that someone > else was having. I shouldn't need to edit the SPN with setspn since I'm > trying to connect to the local AD DNS server name should I? > Very strange. > > Ben Watts wrote: > > The problem lies with Windows Server 2003 SP1!!! > > > > to resolve, pls refer to http://support.microsoft.com/kb/896861/ > > > > I found something that might help. > > > > > > "Aaron Haley" <aaronhaley@gmail.com> wrote in message > > news:1154380614.659010.277720@i3g2000cwc.googlegroups.com... > > > The domain security group has permission on the reportserver in the > > > browser role. It's possibly a file permission issue but the > > > reportserver web directories already have the > > > reportingserviceswebserviceuser and the reportserveruser listed as > > > having read and execute. > > > > > > Ben Watts wrote: > > >> and did you give the specific group certain permissions on the actual > > >> report > > >> server? The group on the domain has certain permissions but you also > > >> have > > >> to grant them more permissions via the report server. > > >> > > >> "Aaron Haley" <aaronhaley@gmail.com> wrote in message > > >> news:1154376085.930951.193280@i42g2000cwa.googlegroups.com... > > >> > We just migrated from 2000 to 2005 on a new box. The migration > > >> > documentation was wonderful for 2005 and it answered all of our > > >> > questions. Our main reporting page should allow all users of a group to > > >> > browse, but it no longer seems to accept the integrated security login > > >> > for access. It ends up giving them the HTTP Error 401.1 - Unauthorized: > > >> > Access is denied due to invalid credentials error. What's the best > > >> > place to start looking to fix this error? I've re-run the config tool > > >> > and checked all teh security settings on the current pool and virtual > > >> > directories but get the same errors on those users. Administrators of > > >> > the box and domain can continue to use the site. very strange. > > >> > > > >
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |