I have created an email subscription on a report. It works when email contains only the report link, but throws error when including the report. Below is the error log dump:


library!WindowsService_51!f14!06/25/2009-23:23:02:: i INFO: Schedule 7b1a2285-4bf8-4636-b6c5-eab7b618ee36 executed at 06/25/2009 23:23:02.
schedule!WindowsService_51!f14!06/25/2009-23:23:02:: Creating Time based subscription notification for subscription: f432a0c0-96a3-469a-b84c-c1abd68d640f
library!WindowsService_51!f14!06/25/2009-23:23:02:: i INFO: Schedule 7b1a2285-4bf8-4636-b6c5-eab7b618ee36 execution completed at 06/25/2009 23:23:02.
library!WindowsService_51!bec!06/25/2009-23:23:02:: i INFO: RenderForNewSession('/My Report')
library!WindowsService_51!bec!06/25/2009-23:23:02:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.InternalCatalogException: An internal error occurred on the report server. See the error log for more details., Internal error;
Info: Microsoft.ReportingServices.Diagnostics.Utilities.InternalCatalogException: An internal error occurred on the report server. See the error log for more details. ---> System.Security.SecurityException: That assembly does not allow partially trusted callers.
at Microsoft.Samples.ReportingServices.CustomSecurity.Authorization.DeserializeAcl(Byte[] secDesc)
at Microsoft.Samples.ReportingServices.CustomSecurity.Authorization.CheckAccess(String userName, IntPtr userToken, Byte[] secDesc, ReportOperation requiredOperation)
at Microsoft.ReportingServices.Library.Security.CheckAccess(ItemType catItemType, Byte[] secDesc, ReportOperation rptOper, String reportPath)
at Microsoft.ReportingServices.Library.ReportOptionSecurityCheck.Check(Security security, ItemType itemType, Byte[] securityDescriptor, String itemPath)
at Microsoft.ReportingServices.Library.SecurityRequirements.CheckAccess(ItemType itemType, Byte[] securityDescriptor, String itemPath)
at Microsoft.ReportingServices.Library.DefinitionLoader.GetParameterDefinition(CatalogItemContext itemContext, String historyId, Boolean forRendering, SecurityRequirements requirements)
at Microsoft.ReportingServices.Library.ReportParameterDefinition.Load(CatalogItemContext itemContext, String historyId, Boolean forRendering, RSService service, SecurityRequirements requirements)
at Microsoft.ReportingServices.Library.RSService.GetReportParameters(ClientRequest session, CatalogItemContext reportContext, Boolean forRendering)
at Microsoft.ReportingServices.Library.RSServiceDataProvider.GetParameters(ClientRequest session, CatalogItemContext reportContext)
at Microsoft.ReportingServices.Library.RenderForNewSession.GetReportParameters()
at Microsoft.ReportingServices.Library.RenderForNewSession.GetReportMetadata()
at Microsoft.ReportingServices.Library.RenderForNewSession.get_ExecuteExistingSnapshot()
at Microsoft.ReportingServices.Library.RenderForNewSession.GetExecutionStrategy()
at Microsoft.ReportingServices.Library.ReportExecutionBase.InternalExecuteReport()
at Microsoft.ReportingServices.Library.ReportExecutionBase.Execute()
at Microsoft.ReportingServices.Diagnostics.CancelablePhaseBase.ExecuteWrapper()
The action that failed was:
LinkDemand
The assembly or AppDomain that failed was:
Microsoft.Samples.ReportingServices.CustomSecurity, Version=1.0.3443.8641, Culture=neutral, PublicKeyToken=null
The Zone of the assembly that failed was:
MyComputer
The Url of the assembly that failed was:
file:///C:/Program Files/Microsoft SQL Server/MSRS10.MSSQLSERVER/Reporting Services/ReportServer/bin/Microsoft.Samples.ReportingServices.CustomSecurity.DLL
--- End of inner exception stack trace ---
library!WindowsService_51!bec!06/25/2009-23:23:03:: i INFO: Exception InternalCatalogException dumped to: C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\Logfiles flags= ReferencedMemory, AllThreads, SendToWatson
library!WindowsService_51!bec!06/25/2009-23:23:03:: i INFO: Initializing EnableExecutionLogging to 'True' as specified in Server system properties.



Your help would be much appreciated.


~ Viv ~

Have you updated rssrvpolicy.config for CustomSecurity.DLL?

Thanks for posting..

Yes indeed, I have added below code in rssrvpolicy.config file:

<CodeGroup
class="UnionCodeGroup"
version="1"
Name="SecurityExtensionCodeGroup"
Description="Code group for the sample security extension"
PermissionSetName="FullTrust">
<IMembershipCondition
class="UrlMembershipCondition"
version="1"
Url="C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer\bin\Microsoft.Samples.ReportingServices.CustomSecurity.dll"
/>
</CodeGroup>

~ Viv ~

FYIwhen I use report admin to create Email subscription everything works just fine. This problem occurs specifically for all the other normal user.

Please let me know if you require any further info. Waiting for you reply.

~ Viv ~

Hi Viv,

Did you find the solution yet? I am facing exact same problem.

Thanks,
Soumitra

MSDN (http://msdn.microsoft.com/en-us/library/system.security.policy.urlmembershipcondition.url(VS.80).aspx): The complete URL is considered, including the protocol (HTTP, HTTPS, FTP) and the file.
Can you try  "file:///C|/Program Files/Microsoft SQL Server/MSRS10.MSSQLSERVER/Reporting Services/ReportServer/bin/Microsoft.Samples.ReportingServices.CustomSecurity.dll"?
Igor

Same as before:

emailextension!WindowsService_0!1fc4!02/09/2010-13:45:07:: Error sending email. Microsoft.ReportingServices.Diagnostics.Utilities.RSException: The permissions granted to user 'salesmanager@sandbox' are insufficient for performing this operation. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'salesmanager@sandbox' are insufficient for performing this operation.
   at Microsoft.ReportingServices.Library.SecurityRequirements.CheckAccess(ItemType itemType, Byte[] securityDescriptor, String itemPath)
   at Microsoft.ReportingServices.Library.DefinitionLoader.GetParameterDefinition(CatalogItemContext itemContext, String historyId, Boolean forRendering, SecurityRequirements requirements)
   at Microsoft.ReportingServices.Library.RSService.GetReportParameters(ClientRequest session, CatalogItemContext reportContext, Boolean forRendering)
   at Microsoft.ReportingServices.Library.RSServiceDataProvider.GetParameters(ClientRequest session, CatalogItemContext reportContext)

It does not look like same as before - it's about user salesmanager@sandbox not having permissons to the report, not CAS permissions as before. Make sure that subscription owner has permissons to the report as they are defined/implemented by your CustomSecurity.dll
Igor

Thanks for the reply Igor. Salesmanager@sandbox has access to the report. He can logon and run the report. He can also export the report in all supported formats. Also note that email subscription works if Include Report option is unchecked. Only when Include Report option is checked email subscription fails with this message:
Failure sending mail: The permissions granted to user 'salesmanager@sandbox' are insufficient for performing this operation.Mail will not be resent.

From the error in the trace file: access denied happens during the report rendering, when retreiving report parameter definitions. Check access here is invoked for the subscription owner, which happens to be 'salesmanager@sandbox'. I beleive this error is somehow related to your customsecurity.dll auth extention. Note that CheckAcess is invoked here under the SRRS service account, but for the user 'salesmanager@sandbox'.

Worth to note that access denied happens now after loading the customsecurity.dll, which was the orignal problem (due to CAS permissions).

Igor

Why does the problem go away if I do not attach the output (i.e., link to report works)?

If you include report link only (do not attach or embed) then report is not rendered, and you don't see this problem.
Igor 

Igor, can it be that for file attachment ReportServer uses a local folder, which the user salesmanager@sandbox does not have access to?

I don't think so. The access denied happens during the report rendering, when retreiving report parameter definitions. That is before sending email.
Igor 

Any clue as to where should I fix this? I have put debug statements in the CheckAccess methods all over in my authorization plugin, but they are not getting called when this happens.

Has anyone found a solution to this?  I'm getting the exact same error message.  I did the same as soumitraghosh and added debug statements to all CheckAccess methods, and they're not even called.  It looks like this is a bug with subscriptions & Forms auth.

library!WindowsService_0!f58!12/06/2010-13:40:06:: i INFO: RenderForNewSession('/Reports/Report Execution History')

library!WindowsService_0!f58!12/06/2010-13:40:09:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'testUser' are insufficient for performing this operation., ;

 Info: Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: The permissions granted to user 'testUser' are insufficient for performing this operation.

Looking at the execution log, I see that the report is rendered under the context of the SSRS service account.  But the AccessDeniedException is mysteriously being thrown for my testUser.

If I change the subscription owner to the SSRS admin account, it works fine.

Hello,

old post, I know, but the web is full of questioning why this happens and no one has a answer yet.

I know why (at least I think so :)). I made it work on my environment!

1. I did setup a security extension witht he sample CustomSecurity project

2. Some day I found out that subscriptions do not work any more.

3. I found out later that it worked with the Administrator user setup in the rsreportserver.config ( <Security><Configuration> which is load fromthe SetConfiguration setting.

4. The sample project show us, that we store application settings in the web.config!

I did store many parameters for my custom security extension in the web.config! All works fine in the front end and rendering reports. But when it comes to subscriptions with attachments we run into permission errors... It works with Administrator because the CustomSecurity Sample project grant access if the user the administrator! But the ReportServicesService.exe do not get the Configuration data from the web.config! Thats why all my CheckAccess() methods failed to check for the other security settings because in the web.config we store e.g. the connection string if we use to fetch against a custom database.

So you can now rewrite your code and move all configuration data from the web.config into the rsreportserver.config file.

Or you can just add your web.config application also to the /bin/ReportingServicesService.exe.config.

In my case e.g :

<configuration>
  <configSections>
    <section name="RStrace" type="Microsoft.ReportingServices.Diagnostics.RSTraceSectionHandler,Microsoft.ReportingServices.Diagnostics" />
    <!-- custom authentication start -->
    <section name="TQsoft.Windows.Products.SSRS.Authentication" type="System.Configuration.ClientSettingsSection" requirePermission="false" />
    <!-- custom authentication end -->
  </configSections>
  <!-- custom authentication start -->
  <appSettings>
    <add key="log" value="d:\informer"/>
    <add key="multi_company" value="true"/>
    <add key="default_domain" value="thor.informer.de"/>
    <add key="connection" value="database=ReportServer;server=thor;uid=sa;pwd=secret;" />
  </appSettings>
  <!-- custom authentication end -->

This is written no where and it took me a while to figure that out...

Hope that helps everyone working with custom forms authentication and SSRS.

I have more detailed information posted here: http://stackoverflow.com/questions/19271651/error-subscription-delivery-in-ssrs-with-custom-security-extension/32275202#32275202