Graham Hirst
asked on
SSRS cant open report builder - authentication error
Hi Experts,
I hope you can help me with this?
I recently built and SQL Server Reporting Service. All was working fine, but i needed it to work over HTTPS. Unfortunately when attempting to browse HTTPS it kept prompting me for credentials, but would not accept any (this is despite me being an administrator, sysadmin and explicitly referenced as a SSRS administrator
I did some googling and found you could change the manor of authentication via the following link
https://technet.microsoft.com/en-us/library/cc281309(v=sql.105).aspx
I was able to change authentication to basic and it worked. i could use HTTPS and login with my credentials. But now i've hit a new snag. Now when ever i open the report builder i get the following error
"Cannot retrieve application. Authentication error"
Details revel the following
"PLATFORM VERSION INFO
Windows : 6.1.7601.65536 (Win32NT)
Common Language Runtime : 4.0.30319.18444
System.Deployment.dll : 4.0.30319.34244 built by: FX452RTMGDR
clr.dll : 4.0.30319.18444 built by: FX451RTMGDR
dfdll.dll : 4.0.30319.34244 built by: FX452RTMGDR
dfshim.dll : 4.0.41209.0 (Main.041209-0000)
SOURCES
Deployment url : http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application
ERROR SUMMARY
Below is a summary of the errors, details of these errors are listed later in the log.
* Activation of http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application resulted in exception. Following failure messages were detected:
+ Downloading http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application did not succeed.
+ The remote server returned an error: (401) Unauthorized.
COMPONENT STORE TRANSACTION FAILURE SUMMARY
No transaction error was detected.
WARNINGS
There were no warnings during this operation.
OPERATION PROGRESS STATUS
* [28/08/2015 08:34:46] : Activation of http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application has started.
ERROR DETAILS
Following errors were detected during this operation.
* [28/08/2015 08:34:46] System.Deployment.Applicat ion.Deploy mentDownlo adExceptio n (Unknown subtype)
- Downloading http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application did not succeed.
- Source: System.Deployment
- Stack trace:
at System.Deployment.Applicat ion.System NetDownloa der.Downlo adSingleFi le(Downloa dQueueItem next)
at System.Deployment.Applicat ion.System NetDownloa der.Downlo adAllFiles ()
at System.Deployment.Applicat ion.FileDo wnloader.D ownload(Su bscription State subState)
at System.Deployment.Applicat ion.Downlo adManager. DownloadMa nifestAsRa wFile(Uri& sourceUri, String targetPath, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
at System.Deployment.Applicat ion.Downlo adManager. DownloadDe ploymentMa nifestDire ctBypass(S ubscriptio nStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
at System.Deployment.Applicat ion.Downlo adManager. DownloadDe ploymentMa nifestBypa ss(Subscri ptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options)
at System.Deployment.Applicat ion.Applic ationActiv ator.Perfo rmDeployme ntActivati on(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromE xtension, BrowserSettings browserSettings, String& errorPageUrl)
at System.Deployment.Applicat ion.Applic ationActiv ator.Activ ateDeploym entWorker( Object state)
--- Inner Exception ---
System.Net.WebException
- The remote server returned an error: (401) Unauthorized.
- Source: System
- Stack trace:
at System.Net.HttpWebRequest. GetRespons e()
at System.Deployment.Applicat ion.System NetDownloa der.Downlo adSingleFi le(Downloa dQueueItem next)
COMPONENT STORE TRANSACTION DETAILS
No transaction information is available."
This is the authentication string i am using currently. Any ideas?
<Authentication>
<AuthenticationTypes>
<RSWindowsBasic>
<LogonMethod>3</LogonMetho d>
<Realm></Realm>
<DefaultDomain>mydomain</D efaultDoma in>
</RSWindowsBasic>
</AuthenticationTypes>
<EnableAuthPersistence>tru e</EnableA uthPersist ence>
</Authentication>
I hope you can help me with this?
I recently built and SQL Server Reporting Service. All was working fine, but i needed it to work over HTTPS. Unfortunately when attempting to browse HTTPS it kept prompting me for credentials, but would not accept any (this is despite me being an administrator, sysadmin and explicitly referenced as a SSRS administrator
I did some googling and found you could change the manor of authentication via the following link
https://technet.microsoft.com/en-us/library/cc281309(v=sql.105).aspx
I was able to change authentication to basic and it worked. i could use HTTPS and login with my credentials. But now i've hit a new snag. Now when ever i open the report builder i get the following error
"Cannot retrieve application. Authentication error"
Details revel the following
"PLATFORM VERSION INFO
Windows : 6.1.7601.65536 (Win32NT)
Common Language Runtime : 4.0.30319.18444
System.Deployment.dll : 4.0.30319.34244 built by: FX452RTMGDR
clr.dll : 4.0.30319.18444 built by: FX451RTMGDR
dfdll.dll : 4.0.30319.34244 built by: FX452RTMGDR
dfshim.dll : 4.0.41209.0 (Main.041209-0000)
SOURCES
Deployment url : http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application
ERROR SUMMARY
Below is a summary of the errors, details of these errors are listed later in the log.
* Activation of http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application resulted in exception. Following failure messages were detected:
+ Downloading http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application did not succeed.
+ The remote server returned an error: (401) Unauthorized.
COMPONENT STORE TRANSACTION FAILURE SUMMARY
No transaction error was detected.
WARNINGS
There were no warnings during this operation.
OPERATION PROGRESS STATUS
* [28/08/2015 08:34:46] : Activation of http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application has started.
ERROR DETAILS
Following errors were detected during this operation.
* [28/08/2015 08:34:46] System.Deployment.Applicat
- Downloading http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application did not succeed.
- Source: System.Deployment
- Stack trace:
at System.Deployment.Applicat
at System.Deployment.Applicat
at System.Deployment.Applicat
at System.Deployment.Applicat
at System.Deployment.Applicat
at System.Deployment.Applicat
at System.Deployment.Applicat
at System.Deployment.Applicat
--- Inner Exception ---
System.Net.WebException
- The remote server returned an error: (401) Unauthorized.
- Source: System
- Stack trace:
at System.Net.HttpWebRequest.
at System.Deployment.Applicat
COMPONENT STORE TRANSACTION DETAILS
No transaction information is available."
This is the authentication string i am using currently. Any ideas?
<Authentication>
<AuthenticationTypes>
<RSWindowsBasic>
<LogonMethod>3</LogonMetho
<Realm></Realm>
<DefaultDomain>mydomain</D
</RSWindowsBasic>
</AuthenticationTypes>
<EnableAuthPersistence>tru
</Authentication>
ASKER
Hi Icohan,
Cheers for the response :)
I tried adding the site to the local intranet zone but no luck. Saving the password didn't work either unfortunately
Any other ideas?
Cheers for the response :)
I tried adding the site to the local intranet zone but no luck. Saving the password didn't work either unfortunately
Any other ideas?
ASKER
Ok, so rolling back to the default (see below) work fine for HTTP, just not HTTPS. With HTTPS it rejects all logins
<Authentication>
<Extension Name="Windows" Type="Microsoft.ReportingS ervices.Au thenticati on.Windows Authentica tion, Microsoft.ReportingService s.Authoriz ation"/>
</Authentication>
<Authentication>
<Extension Name="Windows" Type="Microsoft.ReportingS
</Authentication>
Would you be able to just try enable Anonymous access for testing only with HTTPS and HTTP - just to make sure is nothing else because having that enabled should allow any and all users.
ASKER
Hi Icohan,
Happy to do that. Whats the text string change required?
Happy to do that. Whats the text string change required?
ASKER
I think it relates to this
Report Builder uses ClickOnce technology to download and install application files on the client computer. When it starts on the client computer, the ClickOnce application launcher will make a request for additional application files on the report server computer. If the report server is configured for Basic authentication, the ClickOnce application launcher will fail the authentication check because it does not support Basic authentication.
To work around this issue, you can configure Anonymous access to the Report Builder program files. Doing so allows ClickOnce to bypass the authentication check when retrieving its files. Enable Anonymous access by doing the following:
Verify that the report server is configured for Basic authentication.
Create a bin folder under ReportBuilder and copy four assemblies to the folder.
Add the IsReportBuilderAnonymousAc cessEnable d element to the RSReportServer.config and set it to True. After you save the file, the report server creates a new endpoint to Report Builder. The endpoint is used internally to access program files and does not have a programmatic interface that you can use in code. Having a separate endpoint allows Report Builder to run in its own application domain within the Report Server service process boundary.
Optionally, you can specify a least-privilege account to process requests under a security context that is different from the report server. This account becomes the anonymous account for accessing Report Builder files on a report server. The account sets the identity of the thread in the ASP.NET worker process. Requests that run in that thread are passed to the report server without an authentication check. This account is equivalent to the IUSR_<machine> account in Internet Information Services (IIS), which is used to set the security context for ASP.NET worker processes when Anonymous access and impersonation are enabled. To specify the account, you add it to a Report Builder Web.config file.
The report server must be configured for Basic authentication if you want to enable Anonymous access to the Report Builder program files. If the report server is not configured for Basic authentication, you will get an error when you attempt to enable Anonymous access.
For more information about authentication issues and Report Builder, see Configure Report Builder Access.
To configure Report Builder access on a report server configured for Basic authentication
Verify the report server is configured for Basic authentication by checking the authentication settings in the RSReportServer.config file.
Create a BIN folder under the ReportBuilder folder. By default, this folder is located at \Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\ Reporting Services\ReportServer\Repo rtBuilder.
Copy the following assemblies from the ReportServer\Bin folder to the ReportBuilder\BIN folder:
Microsoft.ReportingService s.Diagnost ics.dll
Microsoft.ReportingService s.Interfac es.dll
ReportingServicesAppDomain Manager.dl l
RSHttpRuntime.dll
Optionally, create a Web.config file to process Report Builder requests under an Anonymous account:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true " userName="username" password="password"/>
</system.web>
</configuration>
Authentication mode must be set to Windows if you include a Web.config file.
Identity impersonate can be True or False.
Set it to False if you do not want ASP.NET to read the security token. The request will run in the security context of the Report Server service.
Set it to True if you want ASP.NET to read the security token from the host layer. If you set it to True, you must also specify userName and password to designate an Anonymous account. The credentials you specify will determine the security context under which the request is issued.
Save the Web.config file to the ReportBuilder\bin folder.
Open RSReportServer.config file, in the Services section, find IsReportManagerEnabled and add the following setting below it:
<IsReportBuilderAnonymousA ccessEnabl ed>True</I sReportBui lderAnonym ousAccessE nabled>
Save RSReportServer.config and close the file.
Restart the report server.
However when i make this change the web page no longer works at all?
Report Builder uses ClickOnce technology to download and install application files on the client computer. When it starts on the client computer, the ClickOnce application launcher will make a request for additional application files on the report server computer. If the report server is configured for Basic authentication, the ClickOnce application launcher will fail the authentication check because it does not support Basic authentication.
To work around this issue, you can configure Anonymous access to the Report Builder program files. Doing so allows ClickOnce to bypass the authentication check when retrieving its files. Enable Anonymous access by doing the following:
Verify that the report server is configured for Basic authentication.
Create a bin folder under ReportBuilder and copy four assemblies to the folder.
Add the IsReportBuilderAnonymousAc
Optionally, you can specify a least-privilege account to process requests under a security context that is different from the report server. This account becomes the anonymous account for accessing Report Builder files on a report server. The account sets the identity of the thread in the ASP.NET worker process. Requests that run in that thread are passed to the report server without an authentication check. This account is equivalent to the IUSR_<machine> account in Internet Information Services (IIS), which is used to set the security context for ASP.NET worker processes when Anonymous access and impersonation are enabled. To specify the account, you add it to a Report Builder Web.config file.
The report server must be configured for Basic authentication if you want to enable Anonymous access to the Report Builder program files. If the report server is not configured for Basic authentication, you will get an error when you attempt to enable Anonymous access.
For more information about authentication issues and Report Builder, see Configure Report Builder Access.
To configure Report Builder access on a report server configured for Basic authentication
Verify the report server is configured for Basic authentication by checking the authentication settings in the RSReportServer.config file.
Create a BIN folder under the ReportBuilder folder. By default, this folder is located at \Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\
Copy the following assemblies from the ReportServer\Bin folder to the ReportBuilder\BIN folder:
Microsoft.ReportingService
Microsoft.ReportingService
ReportingServicesAppDomain
RSHttpRuntime.dll
Optionally, create a Web.config file to process Report Builder requests under an Anonymous account:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authentication mode="Windows" />
<identity impersonate="true " userName="username" password="password"/>
</system.web>
</configuration>
Authentication mode must be set to Windows if you include a Web.config file.
Identity impersonate can be True or False.
Set it to False if you do not want ASP.NET to read the security token. The request will run in the security context of the Report Server service.
Set it to True if you want ASP.NET to read the security token from the host layer. If you set it to True, you must also specify userName and password to designate an Anonymous account. The credentials you specify will determine the security context under which the request is issued.
Save the Web.config file to the ReportBuilder\bin folder.
Open RSReportServer.config file, in the Services section, find IsReportManagerEnabled and add the following setting below it:
<IsReportBuilderAnonymousA
Save RSReportServer.config and close the file.
Restart the report server.
However when i make this change the web page no longer works at all?
ASKER
What ever happens, it seems to do with the rsreportserver.config file as even rolling back the
<IsReportBuilderAnonymousA ccessEnabl ed>True</I sReportBui lderAnonym ousAccessE nabled>
still results in the site being down and broken. I can only get it back, by replacing the entire rsreportserver.config file with a backup i made
<IsReportBuilderAnonymousA
still results in the site being down and broken. I can only get it back, by replacing the entire rsreportserver.config file with a backup i made
Well in order to protect a ClickOnce deployment the options are to either by protecting the folder on the web service where it resides by specifically giving access to users, or by password-protecting the page the user goes to to click on the install link so I'm thinking the folder from where the download should start does not have the user access yet. Could you check that on the server where reportbuilder is to make sure your NT user used in the HTTP or HTTPS has access to it?
ASKER
Hi Icohan,
Definitely have access to it as I'm logging as an administrator of the system. I think my previous comment is on the right track for access, but i have no idea why, when applied, it forces the entire site to no longer work?
Definitely have access to it as I'm logging as an administrator of the system. I think my previous comment is on the right track for access, but i have no idea why, when applied, it forces the entire site to no longer work?
ASKER
This guy had the same issue,
But it appears it worked for him after adding the extra parts posted above
https://www.experts-exchange.com/questions/26239792/SSRS-2008-R2-report-builder-3-0-remote-clickonce-deployment-error.html
Not sure why mine blows up
But it appears it worked for him after adding the extra parts posted above
https://www.experts-exchange.com/questions/26239792/SSRS-2008-R2-report-builder-3-0-remote-clickonce-deployment-error.html
Not sure why mine blows up
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Was solved by a support call to microsoft
Try to either add the site to your "LocalIntranet" zone in IE (which automatically sends id and password) or make sure that the "automatic login with current username and password" option is set for the "Logon" option in the Internet zone. Launch IE by right clicking the IE icon and clicking "Run As Administrator" and tick the "Save Password" check box on the user name and password entry box when the user starts the session.