Link to home
Start Free TrialLog in
Avatar of Graham Hirst
Graham HirstFlag for United Kingdom of Great Britain and Northern Ireland

asked on

SSRS cant open report builder - authentication error

Hi Experts,

I hope you can help me with this?

I recently built and SQL Server Reporting Service. All was working fine, but i needed it to work over HTTPS. Unfortunately when attempting to browse HTTPS it kept prompting me for credentials, but would not accept any (this is despite me being an administrator, sysadmin and explicitly referenced as a SSRS administrator

I did some googling and found you could change the manor of authentication via the following link

I was able to change authentication to basic and it worked. i could use HTTPS and login with my credentials. But now i've hit a new snag. Now when ever i open the report builder i get the following error

"Cannot retrieve application. Authentication error"

Details revel the following

      Windows                   : 6.1.7601.65536 (Win32NT)
      Common Language Runtime       : 4.0.30319.18444
      System.Deployment.dll             : 4.0.30319.34244 built by: FX452RTMGDR
      clr.dll                   : 4.0.30319.18444 built by: FX451RTMGDR
      dfdll.dll                   : 4.0.30319.34244 built by: FX452RTMGDR
      dfshim.dll                   : 4.0.41209.0 (Main.041209-0000)

      Deployment url                  : http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application

      Below is a summary of the errors, details of these errors are listed later in the log.
      * Activation of http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application resulted in exception. Following failure messages were detected:
            + Downloading http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application did not succeed.
            + The remote server returned an error: (401) Unauthorized.

      No transaction error was detected.

      There were no warnings during this operation.

      * [28/08/2015 08:34:46] : Activation of http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application has started.

      Following errors were detected during this operation.
      * [28/08/2015 08:34:46] System.Deployment.Application.DeploymentDownloadException (Unknown subtype)
            - Downloading http://dc4insql01/ReportServer/ReportBuilder/ReportBuilder_3_0_0_0.application did not succeed.
            - Source: System.Deployment
            - Stack trace:
                  at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)
                  at System.Deployment.Application.SystemNetDownloader.DownloadAllFiles()
                  at System.Deployment.Application.FileDownloader.Download(SubscriptionState subState)
                  at System.Deployment.Application.DownloadManager.DownloadManifestAsRawFile(Uri& sourceUri, String targetPath, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
                  at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestDirectBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
                  at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options)
                  at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
                  at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)
            --- Inner Exception ---
            - The remote server returned an error: (401) Unauthorized.
            - Source: System
            - Stack trace:
                  at System.Net.HttpWebRequest.GetResponse()
                  at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)

      No transaction information is available."

This is the authentication string i am using currently. Any ideas?

Avatar of lcohan
Flag of Canada image

Hmm...I believe that has somethinmg to do with permissions not getting passed/saved for that SQL login.

Try to either add the site to your "LocalIntranet" zone in IE (which automatically sends id and password) or make sure that the "automatic login with current username and password" option is set for the "Logon" option in the Internet zone. Launch IE by right clicking the IE icon and clicking "Run As Administrator" and tick the "Save Password" check box on the user name and password entry box when the user starts the session.
Avatar of Graham Hirst


Hi Icohan,

Cheers for the response :)

I tried adding the site to the local intranet zone but no luck. Saving the password didn't work either unfortunately

Any other ideas?
Ok, so rolling back to the default (see below) work fine for HTTP, just not HTTPS. With HTTPS it rejects all logins

                  <Extension Name="Windows" Type="Microsoft.ReportingServices.Authentication.WindowsAuthentication, Microsoft.ReportingServices.Authorization"/>
Would you be able to just try enable Anonymous access for testing only with HTTPS and HTTP - just to make sure is nothing else because having that enabled should allow any and all users.
Hi Icohan,

Happy to do that. Whats the text string change required?
I think it relates to this

Report Builder uses ClickOnce technology to download and install application files on the client computer. When it starts on the client computer, the ClickOnce application launcher will make a request for additional application files on the report server computer. If the report server is configured for Basic authentication, the ClickOnce application launcher will fail the authentication check because it does not support Basic authentication.
To work around this issue, you can configure Anonymous access to the Report Builder program files. Doing so allows ClickOnce to bypass the authentication check when retrieving its files. Enable Anonymous access by doing the following:
Verify that the report server is configured for Basic authentication.
Create a bin folder under ReportBuilder and copy four assemblies to the folder.
Add the IsReportBuilderAnonymousAccessEnabled element to the RSReportServer.config and set it to True. After you save the file, the report server creates a new endpoint to Report Builder. The endpoint is used internally to access program files and does not have a programmatic interface that you can use in code. Having a separate endpoint allows Report Builder to run in its own application domain within the Report Server service process boundary.
Optionally, you can specify a least-privilege account to process requests under a security context that is different from the report server. This account becomes the anonymous account for accessing Report Builder files on a report server. The account sets the identity of the thread in the ASP.NET worker process. Requests that run in that thread are passed to the report server without an authentication check. This account is equivalent to the IUSR_<machine> account in Internet Information Services (IIS), which is used to set the security context for ASP.NET worker processes when Anonymous access and impersonation are enabled. To specify the account, you add it to a Report Builder Web.config file.
The report server must be configured for Basic authentication if you want to enable Anonymous access to the Report Builder program files. If the report server is not configured for Basic authentication, you will get an error when you attempt to enable Anonymous access.
For more information about authentication issues and Report Builder, see Configure Report Builder Access.
To configure Report Builder access on a report server configured for Basic authentication
Verify the report server is configured for Basic authentication by checking the authentication settings in the RSReportServer.config file.
Create a BIN folder under the ReportBuilder folder. By default, this folder is located at \Program Files\Microsoft SQL Server\MSRS12.MSSQLSERVER\Reporting Services\ReportServer\ReportBuilder.
Copy the following assemblies from the ReportServer\Bin folder to the ReportBuilder\BIN folder:
Optionally, create a Web.config file to process Report Builder requests under an Anonymous account:
<?xml version="1.0" encoding="utf-8" ?>
<authentication mode="Windows" />  
<identity impersonate="true " userName="username" password="password"/>
Authentication mode must be set to Windows if you include a Web.config file.
Identity impersonate can be True or False.
Set it to False if you do not want ASP.NET to read the security token. The request will run in the security context of the Report Server service.
Set it to True if you want ASP.NET to read the security token from the host layer. If you set it to True, you must also specify userName and password to designate an Anonymous account. The credentials you specify will determine the security context under which the request is issued.
Save the Web.config file to the ReportBuilder\bin folder.
Open RSReportServer.config file, in the Services section, find IsReportManagerEnabled and add the following setting below it:
Save RSReportServer.config and close the file.
Restart the report server.

However when i make this change the web page no longer works at all?
What ever happens, it seems to do with the rsreportserver.config file as even rolling back the
still results in the site being down and broken. I can only get it back, by replacing the entire rsreportserver.config file with a backup i made
Well in order to protect a ClickOnce deployment the options are to either by protecting the folder on the web service where it resides by specifically giving access to users, or by password-protecting the page the user goes to to click on the install link so I'm thinking the folder from where the download should start does not have the user access yet. Could you check that on the server where reportbuilder is to make sure your NT user used in the HTTP or HTTPS has access to it?
Hi Icohan,

Definitely have access to it as I'm logging as an administrator of the system. I think my previous comment is on the right track for access, but i have no idea why, when applied, it forces the entire site to no longer work?
This guy had the same issue,

But it appears it worked for him after adding the extra parts posted above

Not sure why mine blows up
Avatar of Graham Hirst
Graham Hirst
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Was solved by a support call to microsoft