Reporting Services Forms Authentication and group permissions
Hello all, I have spent some time getting Forms Authentication working with 2008 (R2) I have one final problem left that is causing intense frustration... The working bits: a) Built and tested the required extension - thanks to a combination of old Microsoft example supplemented by the one from chapter 19 of Teo Lachev's book, supplemented by Brian Lawson's book. b) used existing user/group structures in the db to implement role level permissions c) Can now grant rights to usernames and the usernames validated against our db, they can log in fine and run reports. d) Nice customised login screens that login across the application and Reporting Services with a single login - which was the primary aim after all! e) can grant rights to folders at group level and granting/revoking those rights adds or removes the folders in ReportManager - all looking wonderful The last hurdle: If I grant permissions to a specific username (we use email address as the username) then that user can log in to ReportManager fine and see what they should see, so it seems like the bulk of the authentication and authorisation extension logic is OK. If I grant the exact same permission to a role, and make a login a member of that role (removing the specific username permission) then they can access the reportmanager home page but can see no child folders from it. The crazy thing is even if I force every CheckAccess method in the Authorization extension to return true, they STILL cannot see anything in ReportManaager unless their username is granted permissions specifically, however access to the ReportServer url seems to be correctly honouring the permissions I have set up, which makes me think the right permissions are being returned from the extension, but we have hit a ReportManager problem. It is almost as though something in ReportManager is checking the access at the username level before it even calls the CheckAccess overloads in the Authorization extension. Now I can work round this by putting the usernames in roles AND adding them specifically to the home page permission but that partially defeats the purpose of the role-based authorisation. If anyone has successfully got this working it would be great to know, it is obviously difficult to post the entire code of this one due to the large number of steps needed to set it all up. Similarly if anyone can confirm they also cannot make this last bit work that would confirm I have not gone crazy, and stop me worrying about it! Many Thanks Mike John
September 28th, 2010 7:30pm

Very interesting thread. Please open a bug on http://connect.microsoft.com and if this is delaying your production release, consider calling our Customer Support Services. Using connect will allow us to track this issue more formally. I'm assuming you have put a breakpoint in CheckAccess to see if it is being called? Also I assume that you have verified that the authentication cookie was actually sent on the request to the next folder in Report Manager. And finally, did you perhaps check whether the authentication cookie is being sent correctly to the report server by report manager? Thanks, -LukaszGot a bug or feature request? Tell me about it at http://connect.microsoft.com. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
October 6th, 2010 6:09am

Thanks for the reply, It is not holding up production as at the moment there are a limited number of people so even though the code was intended to handle group permisions it is not too difficult to grant individually. I will revisit the points you suggest and check everything is correct before I post it to connect if I cannot resolve it. Many thanks Mike
October 12th, 2010 5:34pm

Hello, I run into the same situation. So far I can see that windows security groups are also stored in the Users table. They get their own UserId and all roles and policies are handled the same. So a form based security auth module I can logon using my own UIlogon.aspx. Username and password will work, but after succesful logon the SSRS take over. I am checking against a sql database table atm. 1. Do I have to replace this against checking against the AD using system.directoryservices and then security groups will work or 2. With own security module I will really need to take care of the groups, too, which would be awful :) Many thanks for update infos. YvesKind regards, Yves Rausch
Free Windows Admin Tool Kit Click here and download it now
January 3rd, 2011 12:52pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics