Hi there,

I wanted to see if anyone with experience servicing SSRS security can help me understand the NTLM and Negotiate. The current account that my group is using to run SSRS services is NT Service and for lab use only. For best practice and security, what is the best option? Also, can we enable both?

current setup:

<Authentication>

              <AuthenticationTypes>

                     <RSWindowsNegotiate/>

                     <!--<RSWindowsNTLM/>-->

              </AuthenticationTypes>

              <RSWindowsExtendedProtectionLevel>Off</RSWindowsExtendedProtectionLevel>

              <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>

              <EnableAuthPersistence>true</EnableAuthPersistence>

       </Authentication>

• Edited by mcolli00 14 hours 56 minutes ago

Hi mccolli00,

Generally, Reporting Services accepts requests that specify Negotiate or NTLM authentication. If your deployment includes client applications and browsers that use these security providers, you can use the default values without additional configuration.

By default, the RSReportServer.config file includes the RSWindowsNegotiate setting if the Report Server service account is either NetworkService or LocalSystem; otherwise, the RSWindowsNTLM setting is used. You can add RSWindowsKerberos if you have applications that only use Kerberos authentication.

Using RSWindowsNegotiate will result in a Kerberos authentication error if you configured the Report Server service to run under a domain user account and you did not register a Service Principal Name (SPN) for the accoun. See more information:Configure Windows Authentication on the Report Server

More details information:
Understanding SQL Server Reporting Services Authentication
Authentication Types in Reporting Services

If you still have any problem, please feel free to ask.

Regards,
Vicky Liu

If you have any feedback on our support, please click here