Tuesday, April 09, 2013

SharePoint and SSRS (integrated mode) gotch-a

Hey People,

hit a doozie recently.  Set up SharePoint 2007 with SSRS 2008R2 (using the SSRS 2008 add-in) in Integrated mode, on the same server (accessing SQL 2008R2 DB and SSAS 2008R2 on another server).

Got all the Kerberos sorted (a mission as usual) and then found that somewhere between SharePoint and SSRS the users credentials were being cached, so that every user appears in SSRS as the first user to login (until the session timesout).

Turns out, there's a little flag in the rsreportserver.config file:

false

By default it's set to true and the documentation says to set it to false when you've got a proxy sitting between your user and the SSRS server. Actually, it gets worse than that. the rsreportserver.config file has EnableAuthPersistence with an E, however the documentation refers to EnableAuthPersistance with an A. (I've logged a community addition to the page to get this rectified)

So, while SharePoint technically isn't a proxy and the Kerberos should be taking care of the user context, turns out, you need to set EnableAuthPersistence to false and have every connect to the SSRS server authenticated, as SharePoint re-uses it's connections to SSRS and doesn't seem to force new credentials.  The down side: every request is now done twice, once anonymously and then again with the correct user credentials.

Thanks to Ning at Microsoft Premier Support for figuring this out for me and I look forward to hearing if this is a bug in SP, SSRS or Kerberos or "by design" :)

Oh, better check my SP2010 instances to see if they suffer the same issue.

Later'ish
Craig

Update: Ning wasn't really able to expand on the "why", other than to say:
"If we set “EnableAuthPersistence” to False, it means the reporting service will not cache the previous authentication result. So we can see 401 challenge happens in new http log, it is required by each new authentication, which is an expected behavior. Our user account should be delegated by service accounts rather than server, so even though we have SSRS and SP installed in the same server, the authentication will go through all identities of the services in server."