Oct 4, 2010

SharePoint authentication mode to Reporting Servivce

SharePoint can use either "window authentication" or "Trusted Accont" authentication mode to connect its report services (essentially a web service).

in case of window authentication, it is logon user's credential flowing to RS, which is easy to understand, but implement window authentication/kerberos is generally mis-considered as difficult. For that reason, "Trusted Account" is provided as another option.

In case of trusted account, it is credential of application pool id that is passed over to RS. As RS by default allow all users, the authentication is not a problem. The challenge is, RS needs to check if the current logon user has permission to access report (essential a sharepoint list item in document library). RS doesn't have logon user's credential as it has never been passed in, but it does have SPUser object which Sharepoint impersonate on behalf of logon user. RS can achieve permission checking by using sharePoint object model.

At this point, RS can determine if the logon user has access to reports, but not report data itself. The report data access is enforced by each report's datasource:

As "trusted account" mode doesn't pass the logon user credential, the  report's credential can't use "window authentication/integrated" as shown above. In other word, only "window authentication" mode can use report's credential as "window authentication/integrated".