Scenario: SSRS, in SharePoint integrated mode, is calling a custom web service located in the SharePoint ISAPI folder access through _vti_bin. This service is using LINQ 2 SharePoint to query multiple lists in the SharePoint WFE.
A layout of the set up can be seen below. Okay, network diagrams is not my strong point!
Because the authentication is being passed over more that 2 boundaries it looses the user and passes null and the only way to fix this is to use Kerberos.
So here’s how I went about setting it up:
Service Principal Names (SPN) for Service Accounts
In order pass the Kerberos token you need to set up SPN’s.
Note: Although I’ve not found confirmation of this SPN’s appear to be case sensitive
setspn.exe -A HTTP/<SSRS_FQDN> SSRSService
setspn.exe –A HTTP/<SSRS_NetBIOSName> SSRSService
Set the <SSRS_FQDN> to the FQDN of the server hosting the SharePoint Integrated SSRS and the <SSRS_NetBIOSName> as the Server name.
These entries can be confirmed by running
setspn.exe –L SSRSService
This should give an output similar to below.
The onto the WFE’s
setspn.exe -A HTTP/<SP_WFE_FQDN> SPService
setspn.exe -A HTTP/<SP_WFE_NetBIOSName> SPService
Set the <SP_WFE_FQDN> to either: the name of the server hosting the Sharepoint WFE or if this is an NLB cluster use the cluster name and the same goes for the <SP_WFE_NetBIOSName>
setspn.exe -A MSSQLSvc/<SQL_FQDN>:1433 SqlDbService
setspn.exe -A MSSQLSvc/<SQL_NetBIOSName>:1433 SqlDbService
Set the <SQL_FQDN> to either: the name of the server hosting SQL or if this is a cluster use the cluster name and the same goes for the <SQL_NetBIOSName>
Active Directory Users and Computers
Next, Open Active Directory Users and Computers and change each of the 3 accounts, selecting the Trust this user for delegation to any service (Kerberos Only) option on the delegation tab.
SSRS App Server Changes
On the SharePoint Application Server which is hosting SSRS Open the Local Security Policy and Go to User Management Rights. Change to “Act as a part of Operating System and “Impersonate a client after authentication” to include the users for both the WFE’s App Pool and SSRS Service Account
Report Server Configuration Changes
Open the RsReportServer.config file and locate the <AuthenticationTypes> section. Add <RSWindowsNegotiate/> as the first entry in this section.
Central Admin Changes for Web Application
Next, open Central Admin and Navigate to Application Management –> Manage Web Application
Then, select the application, then the authentication providers
In the pop-up click on the “Default” link in the Edit Authentication window scroll down to IIS Authentication Settings and choose Negotiate.
Scroll Down and Save.
Give this a minute to propagate to the other Servers in the farm and you should now be able to access the Reports which call the web service.
