Hi,
I've pretty much just thrown together a reporting services (2005)
configuration which connects to a mature sql server 2000 database held
elsewhere. Forgive me for probably not having too much of a clue
about how things should be set up, but I had a go.
I'll get straight to the problem.. that is I can view reports from the
machine running the server, using my own credentials or those of
someone else (tested by running IE7 under an alternative account on
the domain).
However, when using those same user credentials but from a different
machine, I get the following error:
An error has occurred during report processing.
Cannot create a connection to data source 'dsTachyon'.
Login failed for user '(null)'. Reason: Not associated with a trusted
SQL Server connection.
Any ideas as to what would be causing this?
cheers,
ChrisMy guess is that it's a "double hop" authentication problem.
You can connect directly to the db when you're on the server, which is a
direct connection. But when you're trying to connect to the db through the
report server, you have one connection hop from your pc to the report
server, and one hop from the report server to the db server. This is called
a double hop.
There are two ways of fixing it.
1) You can connect to the db with a static account that has read access to
the db you get your data from. Instead of using Windows Integrated
Authentication, you use "Credentials stored securely in the report server".
This can be either a SQL account or a Windows account. If you use this, make
sure you're encrypting the data in your report database, in order to encrypt
the password you add.
2) Configure the report server and the db server to use Kerberos, to allow
the credentials to be sent from your pc through the report server to the db
server.
If you want to use Kerberos, start by reading
Configuring Authentication for Reporting Services
http://msdn2.microsoft.com/en-us/library/bb283249.aspx
Specifying Credential and Connection Information
http://msdn2.microsoft.com/en-us/library/ms160330.aspx#
And
Configuring Constrained Delegation for Kerberos (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/df979570-81f6-4586-83c6-676bb005b13e.mspx?mfr=true
You also need to make sure Anonymous Access to the Report Server web
application is not allowed.
My suggestion is to first see if you're able to connect to the data with the
first setup (using a static account). If it works, you should use Kerberos,
as this is a more secure solution. If it doesn't work with a static account,
you might want to work out why before setting up Kerberos, because it's
usually easier, but less secure to make it work with a static account.
Kaisa M. Lindahl Lervik
"Not Me" <clhumphreys@.gmail.com> wrote in message
news:1174310214.836485.140910@.n59g2000hsh.googlegroups.com...
> Hi,
> I've pretty much just thrown together a reporting services (2005)
> configuration which connects to a mature sql server 2000 database held
> elsewhere. Forgive me for probably not having too much of a clue
> about how things should be set up, but I had a go.
> I'll get straight to the problem.. that is I can view reports from the
> machine running the server, using my own credentials or those of
> someone else (tested by running IE7 under an alternative account on
> the domain).
> However, when using those same user credentials but from a different
> machine, I get the following error:
> An error has occurred during report processing.
> Cannot create a connection to data source 'dsTachyon'.
> Login failed for user '(null)'. Reason: Not associated with a trusted
> SQL Server connection.
> Any ideas as to what would be causing this?
> cheers,
> Chris
>|||On 19 Mar, 14:00, "Kaisa M. Lindahl Lervik" <kais...@.hotmail.com>
wrote:
> My guess is that it's a "double hop" authentication problem.
> You can connect directly to the db when you're on the server, which is a
> direct connection. But when you're trying to connect to the db through the
> report server, you have one connection hop from your pc to the report
> server, and one hop from the report server to the db server. This is called
> a double hop.
Thank you! Great depth to your reply, I've tried the static account
solution and that works so I'll give Kerberos a look.
Cheers,
Chris
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment