ADX39655
asked on
How can I resolve my issues with Reporting Services and SharePoint 2010 Integration?
Hello,
I have built a SharePoint 2010 Farm with an application server, 2 web front end servers, and two SQL servers, (one for the main SharePoint Data, and one for Reporting Services). I am able to configure the Reporting Services Integration and I beleive I can add a Report Server to the Integration as it accepts my server name and instance. The problem is when I click on the next section to Set Server Defaults, or if I go to Site Settings and click on any of the links for Reporting Services, I get the following error:
The request failed with HTTP status 401: Unauthorized.
I looked at the correlation ID in the ULS Logs and get the following:
Exception encountered for SOAP method GetSystemProperties: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
at Microsoft.SqlServer.Report ingService s2010.RSCo nnection20 10.SetConn ectionProt ocol()
at Microsoft.SqlServer.Report ingService s2010.RSCo nnection20 10.SoapMet hodWrapper `1.Execute Method(Boo lean setConnectionProtocol)
I looked around the Internet for similar issues and many people were mentioning Kerberos being misconfigured. I spent some time going over my SPN configurations and everything seemed to be setup. I am by no mean an expert when it comes to Kerberos so I could be mistaken though.
As a final test to try and rule out Kerberos as a culprit, I changed the configuration in the Reporting Services Integration from using the URL with the FQDN of the Reporting Server, to the URL with the IP address of the Reporting Server as I understand that would use NTLM to authenticate. Once I made the changes and click on the links, I was still getting the same error on the screen and in the ULS logs.
I can successfully access the Web Service URL listed in Reporting Services Configuration Manager, and when I enter that URL into the Reporting Integration section of Central Admin everything checks out okay.
So far, the only way I have been able to get reporting to load without the errors is to change the configuration in the Reporting Services Integration area to use a Trusted Account instead of Windows Authentication.
Does anyone have any ideas as to what I may have done wrong, or not done that might fix this issue?
I have built a SharePoint 2010 Farm with an application server, 2 web front end servers, and two SQL servers, (one for the main SharePoint Data, and one for Reporting Services). I am able to configure the Reporting Services Integration and I beleive I can add a Report Server to the Integration as it accepts my server name and instance. The problem is when I click on the next section to Set Server Defaults, or if I go to Site Settings and click on any of the links for Reporting Services, I get the following error:
The request failed with HTTP status 401: Unauthorized.
I looked at the correlation ID in the ULS Logs and get the following:
Exception encountered for SOAP method GetSystemProperties: System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
at Microsoft.SqlServer.Report
at Microsoft.SqlServer.Report
I looked around the Internet for similar issues and many people were mentioning Kerberos being misconfigured. I spent some time going over my SPN configurations and everything seemed to be setup. I am by no mean an expert when it comes to Kerberos so I could be mistaken though.
As a final test to try and rule out Kerberos as a culprit, I changed the configuration in the Reporting Services Integration from using the URL with the FQDN of the Reporting Server, to the URL with the IP address of the Reporting Server as I understand that would use NTLM to authenticate. Once I made the changes and click on the links, I was still getting the same error on the screen and in the ULS logs.
I can successfully access the Web Service URL listed in Reporting Services Configuration Manager, and when I enter that URL into the Reporting Integration section of Central Admin everything checks out okay.
So far, the only way I have been able to get reporting to load without the errors is to change the configuration in the Reporting Services Integration area to use a Trusted Account instead of Windows Authentication.
Does anyone have any ideas as to what I may have done wrong, or not done that might fix this issue?
ASKER
Here is what I currently have for my SPN configurations
SQL Service Account
MSSQLSVC/appprojsql2p:1433
MSSQLSVC/appprojsql2p.mydo main.com:1 433
MSSQLSVC/appprojsql1p:1433
MSOLAPSvc.3/approjsql2p:Pr ojectSSRS
MSOLAPSvc.3/approjsql2p.my domain.com :ProjectSS RS
MSSQLSVC/appprojsql1p.mydo main.com:1 433
SQL Reporting Service Account
HTTP/appprojsql2p.mydomain .com
HTTP/appprojsql2p
HTTP/appprojsql1p.mydomain .com
HTTP/appprojsql1p
IIS Service Account
http/appprojweb2p
http/appprojsvr1p.mydomain .com
http/appprojweb2p.mydomain .com
http/appprojweb1p
http/appprojweb1p.mydomain .com
http/appprojsvr1p
http/schedule.mydomain.com
http/schedule
If I did something wrong with this setup please let me know as I am very new to Kerberos.
SQL Service Account
MSSQLSVC/appprojsql2p:1433
MSSQLSVC/appprojsql2p.mydo
MSSQLSVC/appprojsql1p:1433
MSOLAPSvc.3/approjsql2p:Pr
MSOLAPSvc.3/approjsql2p.my
MSSQLSVC/appprojsql1p.mydo
SQL Reporting Service Account
HTTP/appprojsql2p.mydomain
HTTP/appprojsql2p
HTTP/appprojsql1p.mydomain
HTTP/appprojsql1p
IIS Service Account
http/appprojweb2p
http/appprojsvr1p.mydomain
http/appprojweb2p.mydomain
http/appprojweb1p
http/appprojweb1p.mydomain
http/appprojsvr1p
http/schedule.mydomain.com
http/schedule
If I did something wrong with this setup please let me know as I am very new to Kerberos.
Did you try to configure trust for delegation for web parts? You can find the detail in the following KB: http://support.microsoft.c om/default .aspx?scid =kb;EN-US; 832769
Your SQL connections needs some changes.
setspn -d MSSQLSvc/appprojsql2p:1433 [domain\account]
setspn -d MSSQLSvc/appprojsql1p:1433 [domain\account]
setspn -a MSSQLSvc/appprojsql2p.mydo main.com [domain\account]
setspn -a MSSQLSvc/appprojweb1p.mydo main.com [domain\account]
setspn -d MSSQLSvc/appprojsql2p:1433
setspn -d MSSQLSvc/appprojsql1p:1433
setspn -a MSSQLSvc/appprojsql2p.mydo
setspn -a MSSQLSvc/appprojweb1p.mydo
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Not sure which was the fix...the loopback changes or adding the delagation but it cleared up my errors.
**Your app server**
setspn -a HTTP/app01.yourdomain.com domain\serviceaccount
setspn -a HTTP/app01 domain\serviceaccount
**Your web server**
setspn -a HTTP/web01.yourdomain.com domain\serviceaccount
setspn -a HTTP/web01 domain\serviceaccount
**Your reporting server**
setspn -a HTTP/web02.yourdomain.com domain\serviceaccount
setspn -a HTTP/web02 domain\serviceaccount
**Your sql servers ** Note that you will need to specify the port for a named instance, default is port 1433 - my example assumes instance on port 58180
setspn -a MSSQLSvc/DB01.yourdomain.c
setspn -a MSSQLSvc/DB01.yourdomain.c
setspn -a MSSQLSvc/DB02.yourdomain.c
setspn -a MSSQLSvc/DB02.yourdomain.c