If SSRS is running under localsystem account, Kerberos is enabled by default, if SSRS is running under a domain account, NTLM is enabled by default. In that case, to enable kerberos you first need to make the follwoing modification:
<authenticationtypes>
< rswindowsnegotiate >
< /authenticationtypes >
Notice: Use rswindowsnegotiate, DON'T Use rswindowKerberos, otherwise the RS service will immediately become non-accsible.
After that, you need to register SPN for SSRS servic account in Domain Controller, and also grant Delegation right for this account ( if it is localsystem account, grant the server computer delegation right instead)
Now the RS service is Kerberos enabled, but in order to use "Window Authentication (Integrated)" in data source configuratoin, the user database must be kerberos enabled too:
To do that, you need to register SPN for sql service account running at user sql server, but delegation for this account is NOT necessary as it is the last hop in the chain.
You can certainly don't choose "Window Authentication", but only the window authentication can give you security trimmed reports, while other option can't not.
At this point, you should be able to view a report from RS web serive, but if you view reports from Sharepoint document library or Report Viewer web part, you may get a 401 error
The reuest failed with HTTP status 401: UnauthorizedIn order to make it work from SharePoint, SharePoint web applications have to be Kerberos enabled, and "window authentication" is selected in the setting of "Reporting Services Integration"
