I need some help with authentication when using the web reportviewer to view SSRS reports.
In IIS I've set "Windows Authentication" only and unchecked "Anonymous Access" and the other checks in the Directory Security tab. The result in my website is that WindowsIdentity.GetCurrent() returns the ASPNET user and Request.LogonUserIdentity the domain account of the user that logged in. On the page that hosts the ReportViewer control, I programmatically impersonate the Request.LogonUserIdentity, then set all the report/server properties and refresh the ServerReport, however this returns the "The request failed with HTTP status 401: Unauthorized." error and I'm 100% sure the Request.LogonUserIdentity has access to the report. To proof the impersonation worked, WindowsIdentity.GetCurrent() returns the same user as Request.LogonUserIdentity after the impersonation and I'm using the same impersonation when I need to query the database, just with a specific user.
I've noticed that on the ReportViewer1, the ServerReport property has a property for ImpersonationUser, but I'm not able to set this and can't find where to either.
Can anyone shed some light please! I've been working on this for days now....
It's not clear why you need to do impersonation yourself. If you're using Windows Authentication and have disabled anonymous access, then simply let ASP.NET flow the end-user's credentials to Reporting Server. Try adding the <identity> element to your web.config file:
<identity impersonate="true" />
Another issue you might be encountering (if your Reporting Server is on a different machine to your web server) is the NTLM double-hop problem and you may need to configure Kerberos in order to support credential delegation over multiple machines.
Related
Folk, finding it hard to find information for this particular scenario.
IIS is on one server and the developers are using Forms authentication in ASP.NET 4.5 with the AD as the membership provider.
Reportserver is SS2016 Standard is running as a domain account and has the following authentication types:
<AuthenticationTypes>
<RSWindowsNTLM/>
<RSWindowsNegotiate/>
</AuthenticationTypes>
If the developer has <identity impersonate="true" /> we get "The request failed with HTTP status 401: Unauthorized" and no account listed. Without the impersonate we get rsAccessDenied with the service account of IIS listed.
Any help would be greatly appreciated.
What do your logs say? Check your report logs (https://technet.microsoft.com/en-us/library/cc512029.aspx) as well as Event logs on the report server.
Does the impersonated user have database/data source permissions?
If, after reviewing your logs you can't figure it out, please post them here.
Haven't done enough web development, and have searched a bit here, and have not found an answer yet.
I wanted to find out how to configure my website/web.config to allow me to use SUSER_NAME() on my audit triggers in Microsoft SQL Server.
Currently we are connecting to our database with a service account, but other users are authenticating and accessing the web site. When a record is changed, we want to capture the user that made the change, and not the service account used to log into the database.
The App Pool is configured to the service account and the web site is configured using Windows authentication and ASP.NET Impersonation (but this keeps getting turned off somehow).
The web.config has
<identity impersonate="true" />
and Windows authentication.
Any help would be greatly appreciated.
HI all I am developing a web API that will be using identity impersonation (using always the same functional identity valid in my domain) to check the status of configuration files of some servers. To do that, I add this to my web.config file
I also set my IIS server to neglate anonymous authentication and accept windows authentication for web service. However when I try to access the status of the files from a browser I noticed that the API is still using NT AUTHORITY\NETWORK SERVICE as the user and, of course, the access to the remote files is denied. Does anyone have an idea of what am I missing?
Thanks
My fault, forgot to set the Authentication mode to Windows in web.config
I want to let remote administrators (with local or domain credentials) control my Windows service via a WCF TCP binding. To do this, I need to authenticate the remote user as an administrator. I can check the principal user/roles, but I don't know how to prompt the remote user for the correct user details/token.
This is related to my previous question on Restricting WCF TCP endpoint to Administrators. Instead of adding [PrincipalPermission(SecurityAction.Demand, Role = "Administrator")] to my restricted service method and catching a SecurityException, it seems I can check for it with:
if (!System.Threading.Thread.CurrentPrincipal.IsInRole("Administrators"))
return MethodResult.AccessDenied;
// haven't tested if it's the service thread or the remote user yet.
How do I prompt the remote user for Windows authentication if a Access Denied result was returned so I can reinitiate the connection as a different principal?
Of course, the change would need to be effected on the remote user's client application. Perhaps there is a cleaner WCF way to do it?
Edit: Searching for ".net impersonation" led me to this on CodeProject. Haven't had a chance to look, but this may be the way to go.
You need to pass in the user's credentials with your WCF call. Normally the client application just "captures" the currently running user's credentials. Alternatively you can specify a username and password explicitly. So you could prompt the user for an alternative set of credentials if you wish.
Either way, the client app needs to prompt the user. Your WCF call should return an error (code or exception) upon authorization failure and your client should capture that return and display a prompt to the user and retry with the new credentials. WCF by itself cannot handle prompting the user.
Here is an article on various means of passing credentials:
http://blogs.msdn.com/b/sonuarora/archive/2007/04/21/setting-client-credentials.aspx
Assuming this is hosted in IIS you need to turn off anonymouse authentication in the IIS Manager. This should force the user to login to the machine using a Windows account. You may also need to enable ASP.NET Impersonation.
Here is how you can prompt the user using the standard windows dialog using pInvoke How to show authentication dialog in C# .Net 3.5 SP1
i've got a stock standard ASP.NET web site, deployed to our development machine (internal machine in our server room).
Now, this dev site can be accessed by both INTERNAL and EXTERNAL users. Now, in IIS6 we used to have it so that Anonymous Authentication was turned off and something else was turned on .. giving the users a popup model box for username and password. I think they had to type some username or password that was defined in a web.config file? (not their website account username/password)/
Now, with IIS7, when i turn Anon Auth off, and turn on Basic or Windows Auth, i get access to the site BUT it's trying to log me in with those credentials .. and not the account the user signed up with (using some stock standard asp.net webform page).
So ... is it possible to 'lock' the entire site and get the testers to get general access to the site .. which is different to their website username and password. Those usernames and passwords are for use in the site instead.
does that make sense?
cheers!
<authentication mode="Forms">
<forms loginUrl="~/Pages/Login.aspx" protection="Validation" timeout="1000000000" requireSSL="false" slidingExpiration="true" defaultUrl="Default.aspx">
</forms>
</authentication>
there is no authorization section.
also, when i add 'Digest Auth' to iis7 and enable that (and disable everythign else), i get the pop up window (kewl!) but i'm not sure what credentials i need to pass in. Where can i define those credentials manually (so they are seperate from the website's users) ??
IIS7 integrated mode does not support the two phase authentication that IIS6 does. Basically, IIS6 would perform its authentication (windows), followed by asp.net performing its authentication (forms). But with IIS7, everything is equal in integrated mode, so you can only have one or the other authentication methods.
You can either convert the app pool to use classic mode or follow this workaround to get it working with Integrated mode.