Thanks for the reply irusul! Is there any method for setting a default domain with RSWindowsNegotiate? Can I make a form that appends the static domain to their username prior to submission or something like that? Thanks!

I've redirected this question over to the Security section of the forum: http://social.msdn.microsoft.com/Forums/en/sqlsecurity/thread/389139fe-9aa7-4814-b077-27b532826313

@irusul Why is RSWindowsNegotiate the best? Can you elaborate?

From what I've seen, I need to have <RSWindowsBasic> as the exclusive authentication type in order to ensure users do not have to enter their domain name. I could be wrong! Is there another way of doing this? <Custom>? Forms based authentication? Prayer?

Hi All, We have initially set our authentication type to <RSWindowsBasic> to take advantage of the <DefaultDomain> attribute that is exclusively available through this method. We have low low low low level external users/clients who would never be able to understand that they would need to change from the default user and write domain\username. This was working fine until we recently started to install MS CRM 2011 which required that we insert the <RSWindowsNegotiate> tag in our authentication scheme. I'm new to authentication so I figured I'd give it a shot and I inserted the <RSWindowsNegotiate> tag over the <RSWindowsBasic> tag. This allowed CRM to interface with our Report Server, but left our poor users scratching their heads and tapping at the screen at the prospect of inserting the domain once again. I've since removed the <RSWindowsNegotiate> tag to get the users back on track, but I'm going to need a solution that will keep login simple as well as allow CRM to jive with the report server. My question is this: What authentication method is best for me? I've been looking into Custom Authentication/Forms Based Authentication (are they the same thing?) and it looks like a very complicated ordeal. All of my users have windows profiles/passwords established on our domain in our Active Directory, and I'm unsure if Custom authentication allows you to authenticate against Windows credentials (what I've read so far points toward the creation of a credentials database on the SQL server to authenticate against). I'm also unsure if Custom authentication even allows you to specify a default domain or if I'd be able to include whatever CRM "needs" from the <RSWindowsNegotiate> method. Thank you for reading my long post! I appreciate any input you may have to offer! - Jim **EDIT: We're using SQL 2008 R2

The best authentication mode in my opinion is RSWindowsNegotiate.

From what I've seen, I need to have <RSWindowsBasic> as the exclusive authentication type in order to ensure users do not have to enter their domain name. I could be wrong! Is there another way of doing this? <Custom>? Forms based authentication? Prayer?

Thanks for the reply irusul! Is there any method for setting a default domain with RSWindowsNegotiate? Can I make a form that appends the static domain to their username prior to submission or something like that? Thanks!

I've redirected this question over to the Security section of the forum: http://social.msdn.microsoft.com/Forums/en/sqlsecurity/thread/389139fe-9aa7-4814-b077-27b532826313

@irusul Why is RSWindowsNegotiate the best? Can you elaborate?

"Using RSWindowsNegotiate is your best option because it provides the greatest flexibility for multiple clients in an intranet environment. Although a domain administrator needs to configure Kerberos authentication, using it is advantageous because the authenticated identity is retained without passing credentials from server to server in a distributed environment, which is an effective defensive security measure. NTLM authentication allows clients to connect to the report server securely, but it doesn't allow the report server to forward credentials to another server when external data sources are associated with reports." http://technews.tmcnet.com/news/2012/01/31/6089038.htm

"Using RSWindowsNegotiate is your best option because it provides the greatest flexibility for multiple clients in an intranet environment. Although a domain administrator needs to configure Kerberos authentication, using it is advantageous because the authenticated identity is retained without passing credentials from server to server in a distributed environment, which is an effective defensive security measure. NTLM authentication allows clients to connect to the report server securely, but it doesn't allow the report server to forward credentials to another server when external data sources are associated with reports." http://technews.tmcnet.com/news/2012/01/31/6089038.htm

Thanks for the informative article irusul! After reading this detailed article, I'm pretty sure I'm screwed. I have an internet facing deployment that benefits from the RSWindowsBasic authentication method's ability to display the report manager on multiple browsers (including safari, firefox and mobile device browsers) and authenticate with a default domain. I also require the advanced authentication features afforded by RSWindowsNegotiate for my upcoming MS CRM deployment. Of course, these two methods are mutually exclusive. This is ridiculous! They paint you into a corner for internet facing systems to where you have to use RSWindowsBasic, and that cuts off your ability to use anything else alongside it? It seems I have to choose between EITHER smooth access to the system via internet connections OR implementing our new MS CRM system. This is a terrible system.