Not able to get current windows user in RS2005 (but same code works for RS2000)
We use the following custom code (checkGroupMembership.dll) to get identity of the current windows user and then check if the user is part of a certain group (roleName in code below). SecurityPermission perm = new SecurityPermission(SecurityPermissionFlag.ControlPrincipal); perm.Assert(); WindowsIdentity wi = WindowsIdentity.GetCurrent(); WindowsPrincipal cPrincipal = new WindowsPrincipal(wi); isMember = cPrincipal.IsInRole(roleName); The code above behaves differently for RS2000 vs. RS2005. Both RS2000 and RS2005 are installed on same server. If I use the following code to check the WindowsPrincipal name, I get the expected result (my windows login ID) when called from a report in RS2000 but for RS2005 I get the user id of reporting services. cPrincipal.Identity.Name.ToString(); I have checked rssrvpolicy.config (for both RS2000 and RS2005) and it has the same permission for checkGroupMembership.dll. Any suggestions on why the same code will get different WindowsIdentity? Where I should look next? Any help would be greatly appreciated. Thanks!!!
October 13th, 2010 12:34am
Sounds like it's an SSRS config issue - the reports are set up to run under RS in 2005 and under user in 2000Rgds Geoff
October 13th, 2010 1:16am
Geoff, thanks for the reply! How can I check what user the reports are set up to run under? Is it in rsreportserver.config? Thanks!
October 13th, 2010 5:57pm
At a system level it may be in reportserver.config - if all looks ok there then check the data source set up for how the credentials are being passed through If that looks ok, how are the reports being called? Report Manager / url or from VB/ASP.net app? Rgds Geoff
October 14th, 2010 4:20am
There are following difference in rsreportserver.config in RS2000 and RS2005 related to "user" RS2000: ... <ConnectionType>Impersonate</ConnectionType> <LogonUser>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAo4poxkE+HUqytdk+IaqGpwQAAAAiAAAAUgBlAHAAbwBy AHQAaQBuAGcAIABTAGUAcgB2AGUAcgAAAANmAACoAAAAEAAAAJya1RhW9RbrIe40LgSK8sMAAAAA BIAAAKAAAAAQAAAAviwGoQC2RWXWthP9aD7AKhgAAABH8uCysagNB7qasg61XU0Px89Fw+/e8ucU AAAAqTqs+DJlDx8T7rrhYVBSGPgl+/o=</LogonUser> <LogonDomain>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAo4poxkE+HUqytdk+IaqGpwQAAAAiAAAAUgBlAHAAbwBy AHQAaQBuAGcAIABTAGUAcgB2AGUAcgAAAANmAACoAAAAEAAAAJfsNzBKV7NZKn//DbRKLHEAAAAA BIAAAKAAAAAQAAAAhZc2awiJ11RVZZ2bxXH6WxAAAABXo31ZhHSDc2+LpDt7QiH+FAAAAKZrNujX 9tcDXoeQEdpp1I2hDRb7 </LogonDomain> <LogonCred>AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAo4poxkE+HUqytdk+IaqGpwQAAAAiAAAAUgBlAHAAbwBy AHQAaQBuAGcAIABTAGUAcgB2AGUAcgAAAANmAACoAAAAEAAAACgqti6MNAYfZ0m3DbSv8YYAAAAA BIAAAKAAAAAQAAAAdA8ty2BzBN6Fq2b/3n24vBgAAAD+veDJ9IxzguVUR3zR3DymIuqo34FM5MIU AAAAYDUha2EhFXZoxQ879CsbBbWoOP4=</LogonCred> ... RS2005: ... <ConnectionType>Default</ConnectionType> <LogonUser></LogonUser> <LogonDomain></LogonDomain> <LogonCred></LogonCred> ... ... <WebServiceAccount>DTA\ibsbiqa</WebServiceAccount> <IsWebServiceEnabled>True</IsWebServiceEnabled> <FileShareStorageLocation> <Path></Path> </FileShareStorageLocation> ... Using the Reporting Services Configuration GUI I can see that RS2005 Windows Service Identity is set to use windows account DTA\ibsbiqa. The other option I see is Built-in Account (with dropdown options "Local System", "Network System" and "Local Service"). I am wondering if I should select one of these options. Don't want to try it until I am sure. Is there a way (a GUI or something) to check what user RS200 is set to run as? The rsconfig command line utility doesn't really tell anything and the config file (shown above) doesn't help either. And I am running the reports using Report Manager. Thanks!!!
October 14th, 2010 6:14pm
I think you have your answer right there: RS2000: ... <ConnectionType>Impersonate</ConnectionType> RS2005: ... <ConnectionType>Default</ConnectionType> Set the RS2005 connection type to impersonate and it should fix the issueRgds Geoff
October 15th, 2010 12:55am
I think you have your answer right there: RS2000: <ConnectionType>Impersonate</ConnectionType> RS2005: <ConnectionType>Default</ConnectionType> Set the RS2005 connection type to impersonate and it should fix the issueRgds Geoff
October 15th, 2010 12:57am
Geoff, I used "Reporting Services Configuration Manager" to change credential type in Database setup to "Windows Credential". This step updated the ConnectionType tag to impersonate as you suggested but it didn't fix my problem. The reports still run under same user. It seems like the reports run using the ASP.NET Service Account shown in the "Web Service Identity" tab. Do you know how to change that? Thanks!
October 18th, 2010 9:36pm
Ok - so you've changed the top level and that hasn;t had the required effect so how about the level down? How are the data sources that are being used set up?Rgds Geoff
October 19th, 2010 12:56am
RS2005 data source setup: Connection Type: ODP Connection String: USER ID=****;PASSWORD=****;DATA SOURCE=DEVRDW;Enlist=no;Persist Security Info=no;Pooling=yes;Connection Lifetime=20;Max Pool Size=25;Min Pool Size=5; Connect Using: Windows Integrated Security RS2000 data source setup: Connection Type: Oracle Connection String: data source=dwdev Connect Using: <label for="ui_rdoStored">Credentials stored securely in the report server.</label> User name: **** Password: **** I changed the RS2005 data source to the following so it could match RS2000 data source but that didn't help. Connection Type: Oracle Connection String: data source=devrdw Connect Using: <label for="ui_rdoStored">Credentials stored securely in the report server.</label> User name: **** Password: **** Thanks!!!
October 19th, 2010 6:54pm
Ok - Unfortunately I don't have a copy of RS here I can mess about with so I'm a little stuck for further ideas. You mentioned: Using the Reporting Services Configuration GUI I can see that RS2005 Windows Service Identity is set to use windows account DTA\ibsbiqa. The other option I see is Built-in Account (with dropdown options "Local System", "Network System" and "Local Service"). I am wondering if I should select one of these options. Don't want to try it until I am sure. I think that's going to have to be your next port of call but I'd be lying if I said I knew which one to choose without being able to fiddle around in my own version Sorry I can't be of more help Rgds Geoff
October 20th, 2010 1:03am
I tried that already...changed Windows Service Identity to "Local System", "Network System" and "Local Service" but that didn't work either. I think I am going to give up trying to impersonate the account the reports runs as. But instead I will try to find a different approach to check if the user is member of a windows group. Thanks for your suggestions and time!!!
October 20th, 2010 8:19pm
Do you use Active Directory? If so an LDAP query should be able to return the groups that a user is a member of... Rgds Geoff
October 21st, 2010 2:33am
Can you give example of such a query? I am not able to figure out how to query AD. Thanks!
October 21st, 2010 5:37am
Not done it direct from SSRS before - just through ADO in code this is an example of what I ued: SELECT Department, Title, sAMAccountName FROM 'LDAP://dc=corphq,dc=co,dc=uk' WHERE objectCategory='user' sAMAccountName was the userID so could use SELECT WindowsMemberShipField FROM 'LDAP://dc=corphq,dc=co,dc=uk' WHERE objectCategory='user' AND sAMAccountName = @UserID Could then just use instr to check for a specific group in the list of groupsRgds Geoff
October 21st, 2010 5:55am
This link should give you an idea of the hoops you may need to jump through: http://weblaunch.nl/?p=21 A simpler solution may actually be to export certain AD fields to a SQL table on a nightly basis - then you can just use a bog standard queryRgds Geoff
October 21st, 2010 5:58am
Geoff, I am using Oracle database and hence couldn't make use of the article you mentioned above. BUT, your idea of connecting to LDAP to query AD is great!!!! I ended using the DBMS_LDAP package in oracle to get members of the group I was interested in and compared them to the User global variable in reporting services to resolve my issue. Thanks a lot for all the suggestions you made!!!!! Regards, Chetarth
October 26th, 2010 5:48pm