I have an ASP.NET application that acts a lead-in for SSRS. Both are on the same server and use Windows Authentication. When accessed from within the domain, all works as expected. But now users are accessing it directly over the internet. They are prompted for credentials when they hit the ASP.NET application, and AGAIN when they are directed to SSRS. I have put both in the same application pool, but the problem persists. Any ideas???

First, check out my blog entry that describes a serious security problem with SSPI authentication (see http://betav.com/blog/billva/2011/07/sql-server-quizjune-2011.html). Next, exposing reporting services over the Internet is even more dangerous. Since Internet users or other users that don't belong to the domain don't have domain credentials, SSRS prompts for the credentials. To address this issue, change your Data Sources to use SQL Server authentication credentials.__________________________________________________________________ William Vaughn Author, Mentor, Trainer, MVP Beta V Corporation William Vaughn's blog Hitchhikers Guide to Visual Studio and SQL Server (7th Edition) The Owl Wrangler a fantasy fiction novel Please click the Mark as Answer button if a post solves your problem!

I respectfully disagree with your concerns with SSPI. Our SSRS server has no confidential information on it, so even if an evil report writer added code to grant himself SA rights, it would be for naught.

Okay, lets' disregard the security issues. Since you're trying to grant access to users outside of the domain, you're going to have to use identity credentials to open the connection to the server. Again, I suggest SQL Server credentials that are used by all reports that access the information in question.__________________________________________________________________ William Vaughn Author, Mentor, Trainer, MVP Beta V Corporation William Vaughn's blog Hitchhikers Guide to Visual Studio and SQL Server (7th Edition) The Owl Wrangler a fantasy fiction novel Please click the Mark as Answer button if a post solves your problem!

Last I checked SQL Server accounts did not support groups to facilitate administration (granting groups of users access to certain data instead of one-by-one). One could use roles, but that's not quite the same, and I wouldn't know how to assign SQL roles to SSRS reports and report folders. We have all of this set up in active directory today, and all the groups and permissions configured. The issue is we are changing the way they access the SSRS server to be direct over the internet instead of through a VPN. In the future the login issue will be handled by SharePoint (again using active directory). So again, we are just looking for a nice way to authenticate (as opposed to the browser-generated dialog box) when a user first hits our SSRS server. Thanks.

Hi Eric, I am not very sure which authentication method is currently used. Is it Kerberos? Please kindly refer to following articles, Kerberos delegation and Windows 2008 http://www.k2underground.com/blogs/blackdoor/archive/2010/01/06/kerberos-delegation-and-windows-server-2008.aspx Using Kerberos Delegation with SSRS 2008 http://sql-ution.com/kerberos-delegation-with-reporting-services/ How to: Register a Service Principal Name (SPN) for a Report Server http://msdn.microsoft.com/en-us/library/cc281382.aspx And a white paper: Manage Kerberos Authentication Issues in a Reporting Services Environment http://download.microsoft.com/download/B/E/1/BE1AABB3-6ED8-4C3C-AF91-448AB733B1AF/SSRSKerberos.docx Hope they help. Thanks, Eileen Forum Support Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.