I have been searching through numerous blogs and MSDN/Technet posts for the answer to this but I can't seem to find anything concrete other than 'do something different.' What I am attempting to do is setup reporting services to do a double hop when using Windows Authentication back to remote datasources. Here are the scenarios I am faced with so far; To the best of my knowledge I have setup the appropriate SPN's for kerberos, the server hosting the application is setup for Delegation, as is the Domain Service Account that RSis running under. RS is running in native mode, not sharepoint integrated. 1) When the rsreportserver.config file is set to use NTLM a user can authenticate back to the report server and a report will return the USERID for as appropriate user. When making a connection to a remote datasource it tries to authenticate as NT Authority\Anonymous logon. obviously I am not going to setup the anon logon as a read only account on the server for security purposes. The Web.config file for the report server is set to impersonate 'TRUE', when settingto false the reports returns a userid of the service account RS is using, and attempts to connect to the remote datasource as the service account. There would be no way to filter roles for who is able to viewreports, which is also not acceptable. 2) When rsreportserver.config is set to Negotiate the the web interface from remote clients, by HOST NAME,returns the 3 logon prompts, and no matter which credentials are used it fails a logon. the event viewer for the machine returns 6 event log errors all the same; Code SnippetEvent Type:Failure AuditEvent Source:SecurityEvent Category:Logon/Logoff Event ID:529Date:10/31/2008Time:9:51:44 AMUser:NT AUTHORITY\SYSTEMComputer:APPSQL01Description:Logon Failure:Reason:Unknown user name or bad passwordUser Name:Domain:Logon Type:3Logon Process:KerberosAuthentication Package:KerberosWorkstation Name:-Caller User Name:-Caller Domain:-Caller Logon ID:-Caller Process ID:-Transited Services:-Source Network Address:-Source Port:- There are no usernames or machines in the error message. In addition when accessing the report server by IP ADDRESS it allows the user to input their domain credentials and allows the user to authenticate. However, the report server still attempts to reach the remote datasource as NTAuthority\Anonymous Logon. 3) Regardless of which mode the authentication method is set to when running the web interface from the server it will run the report as the appropriate user and connect to the remote datasource as the same user, not as the anon logon. The architects and I both agree that we should be able to double hop the credential for the user attempting to run the report and need to be able to configure this properly. Does anyone have any experience with getting this to function propelry or an explaination as to why it is not happening. If there is anything I am leaving out, please let me know. Thanks Brad Doerle

Hi Brad, NTLM won't work on the 2nd hop. What you see in 1) is expected. The logon prompts in 2) are caused by failure to authenticate to the RS server machine. Normally this is caused by misconfigured SPN. What is the url you used to access RS, what are the SPN's you configured, and what is the machine name (in case you are using host headers)? It's weird to me that the log shows NT AUTHORITY\SYSTEM was trying to log on. I can't think of a reason ...

James Wu - MSFT wrote: Hi Brad, NTLM won't work on the 2nd hop. What you see in 1) is expected. The logon prompts in 2) are caused by failure to authenticate to the RS server machine. Normally this is caused by misconfigured SPN. What is the url you used to access RS, what are the SPN's you configured, and what is the machine name (in case you are using host headers)? It's weird to me that the log shows NT AUTHORITY\SYSTEM was trying to log on. I can't think of a reason ... James, I've tried to do this two ways, one is by server and one is by cname pointed to the server fqdn When running a Setspn -L domain\serviceaccount I get the following HTTP entries; http/cname http/cname.domain.com http/servername http/servername:80 http/servername.domain.com When running Setspn -L servername I get the following entries; HOST/servername HOST/servername.domain.com Thanks,

Does anyone know what SPN's need to be in place to make a typical scenario like this work? I can't seem to find it documented in detail anywhere. Thanks, Brad Doerle

Brad... We are running SSRS on SQL 2008 - Alsonon-integrated SharePoint on other serverswhere we post links to SSRS Reports. We also have various web applications that have either Report Viewers or Links to reports. Kerberos is the primary authentication and the databases are in the two hop scenario. It took us a while with SQL 2005 SSRS to get it all working the way we wanted it. Recently we did an in place upgrade to SQL 2008 on the SSRS box and haven't had any issues other than having to tweak the reportserver config file because IIS was eliminated from the equation. The best resource I've found for sorting through the various possible Kerberos scenarios is actually a Microsoft CRM doc. We don't use CRM - but if you use the doc to define the right steps for whichever scenario(s) you are dealing with, it had all the answers and the steps to do the service principles, etc... http://www.microsoft.com/downloads/details.aspx?FamilyID=51bf9f20-bd00-4759-8378-b38eefda7b99&DisplayLang=en My SSRS box - just FYI - has the following in rsreportserver.config... <AuthenticationTypes><RSWindowsNegotiate/></AuthenticationTypes> And the web.config - system.web includes ... <authentication mode="Windows" /> <identity impersonate="true" /> In our environment we use specific delegation - not "all services" - so we haveMSSQLSvc delegation entries for each back end SQL server which is used in reporting. You may prefer (or have requirements which allow)the more wide open trust Kerberos delegation for all services, but our environment was rather restrictive. At any rate - I agree there is very little good documentation on the topic searching through the SQL side of things, but the CRM doc had everything we needed - it's just not a doc that's where we could find it easily... :-) -- Lou

If the problem is the machine name, are you correctly configured to ensure the machine itself thinks the names are correct. A similar problem is encountered when using a loop back connnection. See my blog post on this: http://blogs.msdn.com/lukaszp/archive/2008/07/18/reporting-services-http-401-unauthorized-host-headers-require-your-attention.aspx Hope that helps, -Lukasz

I am not sure whether SSRS can impersenate user's credential to a specific user specified in web.config such as: SSRS box - just FYI - has the following in rsreportserver.config... <AuthenticationTypes> <RSWindowsNegotiate/> <RSWindowsNTLM/> </AuthenticationTypes> And the web.config - system.web includes ... <authentication mode="Windows" /> <identity impersonate="true" username="domain/userid" password="mypassword"> Instead of configure Kerberos authentication, can I impersenate windows authentication to the userid specified in the web.config?

Brad, Did you ever get to a resolution on this? I am experience your exact issue right now and have not been able to get the SPNs configured correctly? Thanks, Bo