Jun 3, 2010

Enable Kerberos authentication for SSRS 2008

Starting from SQL 2008, IIS is elminated from Reporting Service. RS web service authenitcation mode is defined in   rereportserver.config located in C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Service\Report Server\

If SSRS is running under localsystem account, Kerberos is enabled by default, if SSRS is running under a domain account, NTLM is enabled by default. In that case, to enable kerberos you first need to make the follwoing modification:

< rswindowsnegotiate >
< /authenticationtypes >

Notice: Use rswindowsnegotiate, DON'T Use rswindowKerberos, otherwise the RS service will immediately become non-accsible.

After that, you need to register SPN for SSRS servic account in Domain Controller, and also grant Delegation right for this account ( if it is localsystem account, grant the server computer delegation right instead)

Now the RS service is Kerberos enabled, but in order to use "Window Authentication (Integrated)" in data source configuratoin, the user database must be kerberos enabled too:

 To do that, you need to register SPN for sql service account running at user sql server, but delegation for this account is NOT necessary as it is the last hop in the chain.

You can certainly don't choose "Window Authentication", but  only the window authentication can give you  security trimmed reports, while other option can't not.

At this point, you should be able to view a report from RS web serive, but if you view reports from Sharepoint document library or Report Viewer web part,  you may get a 401 error
The reuest failed with HTTP status 401: Unauthorized
In order to make it work from SharePoint, SharePoint web applications have to be Kerberos enabled, and "window authentication" is selected in the setting of "Reporting Services Integration"