the pita... we got 2 servers, both are win 2008; iis 7 win app (asp.net), ssrs+db on another (10.50.1600.1) we got a web app that will invoke the ssrs web serive. using ntlm it worked fine if i test it on the web/app server if i test from another pc/client, it failed with 401 i been digged through the net, gone through the help, all this telling me its the double hop issue with ntlm I follow all the guides, ensure asp.net impersonate is on, auth are windows/ntlm chk the config of the ssrs, using RSNego + RSNTLM the ssrs is running with LocalSys even test and trial with bunch of stuffs, nothing worked, the diff is I may get err 500 with a specific config test, but the rest are just come back 401 the only thin i didn't tried: - using the admin script to set NTLM for all the web sites on ssrs i don't want it affect any other sites, doesn't look correct way to do it - the setspn afaik, this only applicaple if i using specific nt domain acct, but the ssrs is running with localSys, I try with NetworkSvc but got issue with providing pwd, so i skip this NetworkSvc trial I'm not the network admin, I presume the Kerberos is atwork. is there a way i test whether is the K is working?

You should be able to find out in the event viewer of the IIS server whether authentication is through Kerberos, but I doubt that's the case. Assuming NTLM, yes, you have a double hop issue. NTLM simply won't allow the user credentials to be passed beyond the first hop. If you want to use Kerberos, you'll also need to setup delegation of identities to make sure identities can be delegated from IIS to SSRS. This would be a hard route because it requires domain admin privileges. You can also just hard code one single user's credentials for access to the SSRS web service from IIS. This doesn't let you fine-tune your access permissions with the different users, but it does make your second hop another first hop, which eliminates your problem. If you absolutely need to impersonate, then I'm afraid Kerberos is the only route.Cephas Lin This posting is provided "AS IS" with no warranties.

our sys admin has enable the trust delegation for the kerberos on the 2 servers over http services. then i modified the ssrs config rsreportserver.config to test with only RSKerberos, or RSWindowsNTLM (2 diff setup) but still no good, anonymous id is being used. the next steps to diagnostic the kerberos thing is just plain tedious, as this a product we developing, we dont want customer to suffer over this. our next plan, deploy ssrs same box as the web/app. initial test result is positive. we will stick to this workaround.