Recently I posted an article (here) about getting SQL Server Reporting Services 2005 to work at a Windows 2008 Server. It worked so far that SSRS is now working in Native mode but not yet in SharePoint Integrated mode. There are some Kerberos errors in the eventlogs. So, I searched the internet for information about SSRS and Kerberos settings and came across a whitepaper which is called “CONFIGURING KERBEROS AUTHENTICATION WITH ROLE CENTER PAGES”. This whitepaper is about SSRS and Dynamics AX 2009 and can be found here. Most important, in the whitepaper is explained how to configure Kerberos in this specific situation.
Here is the important part:
The following procedure applies to SQL Server 2005 Reporting Services. [...] By default, the SQL Server Reporting Services Report Server and Report Manager virtual directories are configured for Kerberos authentication. If your organization or business deployed an SQL Reporting Services server, use the following procedure to verify the authentication mode on these directories. This procedure also includes the commands to set Kerberos authentication for the virtual directories, if necessary.
Click Start, click Administrative tools, then click Internet Information Services (IIS) Manager.
- In the left pane, click the Web sites directory and locate the Reports and Report Server applications.
- Locate the Identifier column and write down the identifier for each application.
- Enter the following command in a command prompt and press Enter: cd \inetpub\adminscripts
- Use the following command to determine if Negotiate,NTLM (Kerberos) authentication is set for the Report Manager and Report Server applications. In the command, replace <identifier> with the identifier for the Report Manager and Report Server applications, respectively. Then enter the commands in the command prompt and press Enter:
cscript adsutil.vbs get w3svc/<identifier>/root/reports/NTAuthenticationProviders
cscript adsutil.vbs get w3svc/<identifier>/root/reportserver/NTAuthenticationProviders
- If Negotiate,NTLM (Kerberos) authentication is not set, use the following commands to set it:
cscript adsutil.vbs set w3svc/<identifier>/root/reports/NTAuthenticationProviders “Negotiate,NTLM”
cscript adsutil.vbs set w3svc/<identifier>/root/reportserver/NTAuthenticationProviders “Negotiate,NTLM”
- In the command prompt, type iisreset and then press Enter.
Configure service principal names
Kerberos authentication requires that you specify certain properties in Active Directory about how and where a service should run. In the context of Active Directory, this is called configuring a service principal name (SPN). Using the following procedure, you will specify the server name, domain name, and application pool account for the HTTP service and the SQL Server Analysis Services service (if applicable) in Active Directory using the SetSPN.exe command-line tool. Setspn.exe is included with Windows Server 2003 Service Pack 1 and Service Pack 2. This command-line tool enables you to read, modify, and delete SPN properties for an Active Directory service account like the HTTP service. To perform this procedure, you must be a member of the domain administrator group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
Before you begin, confirm that Windows Server 2003 Service Pack 1 or Service Pack 2 is installed on each Enterprise Portal and SQL Server computer. If you do not install one or more of these service packs, you will not be able to locate the Setspn.exe tool.
Read more at the whitepaper
Tags: kerberos, Report Server, whitepaper
October 29th, 2009 at 2:17 AM
I should notify my friend about your post.