Why does Windows/Integrated Authentication in IIS not pass user credentials to SSRS and SQL?

asp.net web-services entity-framework iis reporting-services
19,745

Solution 1

Windows or Integrated authentication means that user is identified using windows credentials (or token) but it does not means that the request in running under that user. ASP.NET run-time will execute the request under worker process (App Pool) identity unless you configure it to impersonate some other identity.

So when you are accessing the site using development server, the server is running under your identity and so access to SSRS and Sql Server is done under your identity and it works.

When you loaded your site under IIS, ASP.NET request would be run under whatever identity is configured for the application pool. Typically this identity is local user and hence access to network resources such as SSRS or Sql Server would be denied. Adding <identity impersonate="true" username="your name" ../>, ASP.NET will run requests under your identity and that should work for both SSRS and Sql Server.

The curious case here is <identity impersonate="true" /> - under this setting, ASP.NET will impersonate currently authenticated windows identity. However, for this to work correctly, you have configure both IIS and ASP.NET on integrated authentication and deny anonymous access (in ASP.NET as well as IIS). Failing to do so may result in not authenticating current user's identity and the request would be run under anonymous user's identity (as configured in IIS). If you marked integrated authentication in IIS but not in ASP.NET then identity would not be passed to the ASP.NET request. You need to check your environment to see what exact scenario you had faced but ultimate result was your ASP.NET request was running under credential that has access to SQL Server but not to SSRS.

Solution 2

You also need to be aware of the 'double hop' issue - this means that your credentials can only be used twice.

If you are accessing a website using Windows Authentication and impersonation, that website can call another service as you. If that other service is another website (i.e. Reporting Services) which in turn calls another service (e.g. database) it cannot pass your credentials on again. This means that the database will throw an error if it expects credentials from the user.

Share:
19,745
Devin Burke
Author by

Devin Burke

Updated on June 21, 2022

Comments

  • Devin Burke
    Devin Burke almost 2 years

    Issue: In ASP.NET 4.0, I use my SSRS 2005 server's ReportService2005.asmx web service to get a list of reports. Also in .NET, I use Entity Framework to communicate with my MS-SQL 2005 database. When I use Visual Studio Development Server as my web server, calls to SSRS and SQL work fine. But when I switch to IIS 5.1, both SSRS and Entity code produce errors. I use only Windows/Integrated Authentication in IIS.

    Errors: For SSRS, I get The request failed with HTTP status 401: Unauthorized.

    For Entity Framework, I get Login failed for user ''. The user is not associated with a trusted SQL Server connection.

    Attempted Solutions: In the Web.Config I added <identity impersonate="true" /> and that fixed Entity Framework errors but not SSRS errors. I expanded the identity reference to include my username and password, and that fixed all errors.

    Question: Why does specifying my username and password fix the errors, and why does SQL say I am not specifying a username ('')? I thought Windows Authentication automatically impersonated the current user. How can I fix this without hardcoding a "service" account into the web.config?

  • Devin Burke
    Devin Burke over 12 years
    You are correct. I ended up using <identity impersonate="true" /> in the web.config and ((WindowsIdentity)HttpContext.Current.User.Identity).Imperso‌​nate() for the one reference to SSRS and that correctly impersonated me.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

.OrderBy() / .OrderByDescending() with .FirstOrDefault()/.First()
EndpointNotFoundException - 404 - Hosting WCF Service over HTTPS in IIS through Visual Studio
How to log communication of a WebService running on IIS 6.0?
Problem with WCF Service - The protocol 'http' is not supported. How to resolve?
401 Client 'Negotiate', Server 'Negotiate,NTLM' When Calling WCF Server to Server
AppPool Permission Issue with Accessing Report Server
What is error code is 0x80070001? And how can I solve it?
Creating Reports in ASP.Net with Entity Framework
What is limiting the # of simultaneous connections my ASP.NET application can make to a web service?
Cannot open database "test" requested by the login. The login failed. Login failed for user 'xyz\ASPNET'