Avatar of Graham Hirst
Graham Hirst
Flag for United Kingdom of Great Britain and Northern Ireland asked on

SSRS cant open report builder - authentication error

Hi Experts,

I hope you can help me with this?

I recently built and SQL Server Reporting Service. All was working fine, but i needed it to work over HTTPS. Unfortunately when attempting to browse HTTPS it kept prompting me for credentials, but would not accept any (this is despite me being an administrator, sysadmin and explicitly referenced as a SSRS administrator

I did some googling and found you could change the manor of authentication via the following link

https://technet.microsoft.com/en-us/library/cc281309(v=sql.105).aspx

I was able to change authentication to basic and it worked. i could use HTTPS and login with my credentials. But now i've hit a new snag. Now when ever i open the report builder i get the following error

"Cannot retrieve application. Authentication error"

Details revel the following

"PLATFORM VERSION INFO
      Windows                   : 6.1.7601.65536 (Win32NT)
      Common Language Runtime       : 4.0.30319.18444
      System.Deployment.dll             : 4.0.30319.34244 built by: FX452RTMGDR
      clr.dll                   : 4.0.30319.18444 built by: FX451RTMGDR
      dfdll.dll                   : 4.0.30319.34244 built by: FX452RTMGDR
      dfshim.dll                   : 4.0.41209.0 (Main.041209-0000)

SOURCES
      Deployment url                  : http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application

ERROR SUMMARY
      Below is a summary of the errors, details of these errors are listed later in the log.
      * Activation of http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application resulted in exception. Following failure messages were detected:
            + Downloading http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application did not succeed.
            + The remote server returned an error: (401) Unauthorized.

COMPONENT STORE TRANSACTION FAILURE SUMMARY
      No transaction error was detected.

WARNINGS
      There were no warnings during this operation.

OPERATION PROGRESS STATUS
      * [28/08/2015 08:34:46] : Activation of http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application has started.

ERROR DETAILS
      Following errors were detected during this operation.
      * [28/08/2015 08:34:46] System.Deployment.Application.DeploymentDownloadException (Unknown subtype)
            - Downloading http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application did not succeed.
            - Source: System.Deployment
            - Stack trace:
                  at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)
                  at System.Deployment.Application.SystemNetDownloader.DownloadAllFiles()
                  at System.Deployment.Application.FileDownloader.Download(SubscriptionState subState)
                  at System.Deployment.Application.DownloadManager.DownloadManifestAsRawFile(Uri& sourceUri, String targetPath, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
                  at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestDirectBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
                  at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options)
                  at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
                  at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)
            --- Inner Exception ---
            System.Net.WebException
            - The remote server returned an error: (401) Unauthorized.
            - Source: System
            - Stack trace:
                  at System.Net.HttpWebRequest.GetResponse()
                  at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)

COMPONENT STORE TRANSACTION DETAILS
      No transaction information is available."

This is the authentication string i am using currently. Any ideas?

<Authentication>
            <AuthenticationTypes>
                         <RSWindowsBasic>
                               <LogonMethod>3</LogonMethod>
                               <Realm></Realm>
                               <DefaultDomain>mydomain</DefaultDomain>
                         </RSWindowsBasic>
                  </AuthenticationTypes>
                  <EnableAuthPersistence>true</EnableAuthPersistence>
      </Authentication>
SSRSMicrosoft SQL ServerDB Reporting ToolsASP.NETMicrosoft SharePoint

Avatar of undefined
Last Comment
Graham Hirst

8/22/2022 - Mon
lcohan

Hmm...I believe that has somethinmg to do with permissions not getting passed/saved for that SQL login.

Try to either add the site to your "LocalIntranet" zone in IE (which automatically sends id and password) or make sure that the "automatic login with current username and password" option is set for the "Logon" option in the Internet zone. Launch IE by right clicking the IE icon and clicking "Run As Administrator" and tick the "Save Password" check box on the user name and password entry box when the user starts the session.
Graham Hirst

ASKER
Hi Icohan,

Cheers for the response :)

I tried adding the site to the local intranet zone but no luck. Saving the password didn't work either unfortunately

Any other ideas?
Graham Hirst

ASKER
Ok, so rolling back to the default (see below) work fine for HTTP, just not HTTPS. With HTTPS it rejects all logins

<Authentication>
                  <Extension Name="Windows" Type="Microsoft.ReportingServices.Authentication.WindowsAuthentication, Microsoft.ReportingServices.Authorization"/>
            </Authentication>
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
lcohan

Would you be able to just try enable Anonymous access for testing only with HTTPS and HTTP - just to make sure is nothing else because having that enabled should allow any and all users.
Graham Hirst

ASKER
Hi Icohan,

Happy to do that. Whats the text string change required?
Graham Hirst

ASKER
I think it relates to this

Report Builder uses ClickOnce technology to download and install application files on the client computer. When it starts on the client computer, the ClickOnce application launcher will make a request for additional application files on the report server computer. If the report server is configured for Basic authentication, the ClickOnce application launcher will fail the authentication check because it does not support Basic authentication.
To work around this issue, you can configure Anonymous access to the Report Builder program files. Doing so allows ClickOnce to bypass the authentication check when retrieving its files. Enable Anonymous access by doing the following:
Verify that the report server is configured for Basic authentication.
Create a bin folder under ReportBuilder and copy four assemblies to the folder.
Add the IsReportBuilderAnonymousAccessEnabled element to the RSReportServer.config and set it to True. After you save the file, the report server creates a new endpoint to Report Builder. The endpoint is used internally to access program files and does not have a programmatic interface that you can use in code. Having a separate endpoint allows Report Builder to run in its own application domain within the Report Server service process boundary.
Optionally, you can specify a least-privilege account to process requests under a security context that is different from the report server. This account becomes the anonymous account for accessing Report Builder files on a report server. The account sets the identity of the thread in the ASP.NET worker process. Requests that run in that thread are passed to the report server without an authentication check. This account is equivalent to the IUSR_<machine> account in Internet Information Services (IIS), which is used to set the security context for ASP.NET worker processes when Anonymous access and impersonation are enabled. To specify the account, you add it to a Report Builder Web.config file.
The report server must be configured for Basic authentication if you want to enable Anonymous access to the Report Builder program files. If the report server is not configured for Basic authentication, you will get an error when you attempt to enable Anonymous access.
For more information about authentication issues and Report Builder, see Configure Report Builder Access.
To configure Report Builder access on a report server configured for Basic authentication
Verify the report server is configured for Basic authentication by checking the authentication settings in the RSReportServer.config file.
Create a BIN folder under the ReportBuilder folder. By default, this folder is located at \Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\ReportServer\ReportBuilder.
Copy the following assemblies from the ReportServer\Bin folder to the ReportBuilder\BIN folder:
Microsoft.ReportingServices.Diagnostics.dll
Microsoft.ReportingServices.Interfaces.dll
ReportingServicesAppDomainManager.dll
RSHttpRuntime.dll
Optionally, create a Web.config file to process Report Builder requests under an Anonymous account:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.web>
<authentication mode="Windows" />  
<identity impersonate="true " userName="username" password="password"/>
</system.web>
</configuration>
Authentication mode must be set to Windows if you include a Web.config file.
Identity impersonate can be True or False.
Set it to False if you do not want ASP.NET to read the security token. The request will run in the security context of the Report Server service.
Set it to True if you want ASP.NET to read the security token from the host layer. If you set it to True, you must also specify userName and password to designate an Anonymous account. The credentials you specify will determine the security context under which the request is issued.
Save the Web.config file to the ReportBuilder\bin folder.
Open RSReportServer.config file, in the Services section, find IsReportManagerEnabled and add the following setting below it:
<IsReportBuilderAnonymousAccessEnabled>True</IsReportBuilderAnonymousAccessEnabled>
Save RSReportServer.config and close the file.
Restart the report server.

However when i make this change the web page no longer works at all?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Graham Hirst

ASKER
What ever happens, it seems to do with the rsreportserver.config file as even rolling back the
<IsReportBuilderAnonymousAccessEnabled>True</IsReportBuilderAnonymousAccessEnabled>
still results in the site being down and broken. I can only get it back, by replacing the entire rsreportserver.config file with a backup i made
lcohan

Well in order to protect a ClickOnce deployment the options are to either by protecting the folder on the web service where it resides by specifically giving access to users, or by password-protecting the page the user goes to to click on the install link so I'm thinking the folder from where the download should start does not have the user access yet. Could you check that on the server where reportbuilder is to make sure your NT user used in the HTTP or HTTPS has access to it?
Graham Hirst

ASKER
Hi Icohan,

Definitely have access to it as I'm logging as an administrator of the system. I think my previous comment is on the right track for access, but i have no idea why, when applied, it forces the entire site to no longer work?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Graham Hirst

ASKER
This guy had the same issue,

But it appears it worked for him after adding the extra parts posted above

https://www.experts-exchange.com/questions/26239792/SSRS-2008-R2-report-builder-3-0-remote-clickonce-deployment-error.html

Not sure why mine blows up
ASKER CERTIFIED SOLUTION
Graham Hirst

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Graham Hirst

ASKER
Was solved by a support call to microsoft