SSRS cant open report builder - authentication error

Hi Experts,

I hope you can help me with this?

I recently built and SQL Server Reporting Service. All was working fine, but i needed it to work over HTTPS. Unfortunately when attempting to browse HTTPS it kept prompting me for credentials, but would not accept any (this is despite me being an administrator, sysadmin and explicitly referenced as a SSRS administrator

I did some googling and found you could change the manor of authentication via the following link

I was able to change authentication to basic and it worked. i could use HTTPS and login with my credentials. But now i've hit a new snag. Now when ever i open the report builder i get the following error

"Cannot retrieve application. Authentication error"

Details revel the following

      Windows                   : 6.1.7601.65536 (Win32NT)
      Common Language Runtime       : 4.0.30319.18444
      System.Deployment.dll             : 4.0.30319.34244 built by: FX452RTMGDR
      clr.dll                   : 4.0.30319.18444 built by: FX451RTMGDR
      dfdll.dll                   : 4.0.30319.34244 built by: FX452RTMGDR
      dfshim.dll                   : 4.0.41209.0 (Main.041209-0000)

      Deployment url                  : http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application

      Below is a summary of the errors, details of these errors are listed later in the log.
      * Activation of http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application resulted in exception. Following failure messages were detected:
            + Downloading http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application did not succeed.
            + The remote server returned an error: (401) Unauthorized.

      No transaction error was detected.

      There were no warnings during this operation.

      * [28/08/2015 08:34:46] : Activation of http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application has started.

      Following errors were detected during this operation.
      * [28/08/2015 08:34:46] System.Deployment.Application.DeploymentDownloadException (Unknown subtype)
            - Downloading http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application did not succeed.
            - Source: System.Deployment
            - Stack trace:
                  at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)
                  at System.Deployment.Application.SystemNetDownloader.DownloadAllFiles()
                  at System.Deployment.Application.FileDownloader.Download(SubscriptionState subState)
                  at System.Deployment.Application.DownloadManager.DownloadManifestAsRawFile(Uri& sourceUri, String targetPath, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
                  at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestDirectBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
                  at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options)
                  at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
                  at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)
            --- Inner Exception ---
            - The remote server returned an error: (401) Unauthorized.
            - Source: System
            - Stack trace:
                  at System.Net.HttpWebRequest.GetResponse()
                  at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)

      No transaction information is available."

This is the authentication string i am using currently. Any ideas?

Graham HirstIT EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lcohanDatabase AnalystCommented:
Hmm...I believe that has somethinmg to do with permissions not getting passed/saved for that SQL login.

Try to either add the site to your "LocalIntranet" zone in IE (which automatically sends id and password) or make sure that the "automatic login with current username and password" option is set for the "Logon" option in the Internet zone. Launch IE by right clicking the IE icon and clicking "Run As Administrator" and tick the "Save Password" check box on the user name and password entry box when the user starts the session.
Graham HirstIT EngineerAuthor Commented:
Hi Icohan,

Cheers for the response :)

I tried adding the site to the local intranet zone but no luck. Saving the password didn't work either unfortunately

Any other ideas?
Graham HirstIT EngineerAuthor Commented:
Ok, so rolling back to the default (see below) work fine for HTTP, just not HTTPS. With HTTPS it rejects all logins

                  <Extension Name="Windows" Type="Microsoft.ReportingServices.Authentication.WindowsAuthentication, Microsoft.ReportingServices.Authorization"/>
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

lcohanDatabase AnalystCommented:
Would you be able to just try enable Anonymous access for testing only with HTTPS and HTTP - just to make sure is nothing else because having that enabled should allow any and all users.
Graham HirstIT EngineerAuthor Commented:
Hi Icohan,

Happy to do that. Whats the text string change required?
Graham HirstIT EngineerAuthor Commented:
I think it relates to this

Report Builder uses ClickOnce technology to download and install application files on the client computer. When it starts on the client computer, the ClickOnce application launcher will make a request for additional application files on the report server computer. If the report server is configured for Basic authentication, the ClickOnce application launcher will fail the authentication check because it does not support Basic authentication.
To work around this issue, you can configure Anonymous access to the Report Builder program files. Doing so allows ClickOnce to bypass the authentication check when retrieving its files. Enable Anonymous access by doing the following:
Verify that the report server is configured for Basic authentication.
Create a bin folder under ReportBuilder and copy four assemblies to the folder.
Add the IsReportBuilderAnonymousAccessEnabled element to the RSReportServer.config and set it to True. After you save the file, the report server creates a new endpoint to Report Builder. The endpoint is used internally to access program files and does not have a programmatic interface that you can use in code. Having a separate endpoint allows Report Builder to run in its own application domain within the Report Server service process boundary.
Optionally, you can specify a least-privilege account to process requests under a security context that is different from the report server. This account becomes the anonymous account for accessing Report Builder files on a report server. The account sets the identity of the thread in the ASP.NET worker process. Requests that run in that thread are passed to the report server without an authentication check. This account is equivalent to the IUSR_<machine> account in Internet Information Services (IIS), which is used to set the security context for ASP.NET worker processes when Anonymous access and impersonation are enabled. To specify the account, you add it to a Report Builder Web.config file.
The report server must be configured for Basic authentication if you want to enable Anonymous access to the Report Builder program files. If the report server is not configured for Basic authentication, you will get an error when you attempt to enable Anonymous access.
For more information about authentication issues and Report Builder, see Configure Report Builder Access.
To configure Report Builder access on a report server configured for Basic authentication
Verify the report server is configured for Basic authentication by checking the authentication settings in the RSReportServer.config file.
Create a BIN folder under the ReportBuilder folder. By default, this folder is located at \Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\ReportServer\ReportBuilder.
Copy the following assemblies from the ReportServer\Bin folder to the ReportBuilder\BIN folder:
Optionally, create a Web.config file to process Report Builder requests under an Anonymous account:
<?xml version="1.0" encoding="utf-8" ?>
<authentication mode="Windows" />  
<identity impersonate="true " userName="username" password="password"/>
Authentication mode must be set to Windows if you include a Web.config file.
Identity impersonate can be True or False.
Set it to False if you do not want ASP.NET to read the security token. The request will run in the security context of the Report Server service.
Set it to True if you want ASP.NET to read the security token from the host layer. If you set it to True, you must also specify userName and password to designate an Anonymous account. The credentials you specify will determine the security context under which the request is issued.
Save the Web.config file to the ReportBuilder\bin folder.
Open RSReportServer.config file, in the Services section, find IsReportManagerEnabled and add the following setting below it:
Save RSReportServer.config and close the file.
Restart the report server.

However when i make this change the web page no longer works at all?
Graham HirstIT EngineerAuthor Commented:
What ever happens, it seems to do with the rsreportserver.config file as even rolling back the
still results in the site being down and broken. I can only get it back, by replacing the entire rsreportserver.config file with a backup i made
lcohanDatabase AnalystCommented:
Well in order to protect a ClickOnce deployment the options are to either by protecting the folder on the web service where it resides by specifically giving access to users, or by password-protecting the page the user goes to to click on the install link so I'm thinking the folder from where the download should start does not have the user access yet. Could you check that on the server where reportbuilder is to make sure your NT user used in the HTTP or HTTPS has access to it?
Graham HirstIT EngineerAuthor Commented:
Hi Icohan,

Definitely have access to it as I'm logging as an administrator of the system. I think my previous comment is on the right track for access, but i have no idea why, when applied, it forces the entire site to no longer work?
Graham HirstIT EngineerAuthor Commented:
This guy had the same issue,

But it appears it worked for him after adding the extra parts posted above

Not sure why mine blows up
Graham HirstIT EngineerAuthor Commented:
Microsoft were able to resolve the issue for me

The problem was with the xml


Even though this worked for the initial part of testing (gaining access to the server, just not the report builder) it caused a conflict when the following xml was added


So to resolve, the later xml had to be added and the former changed to


This then fixed the problem of the site blowing up, and all that was left to do to get the report builder to work was for write permissions to be added to the following path for the service account

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files

Cheers for all of your help

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Graham HirstIT EngineerAuthor Commented:
Was solved by a support call to microsoft
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.