Using SQL Reporting Services 2005 and Forms Authentication with the Whidbey/2.0 SQLMembershipProvider

I saw a question last week asking if one could use the new 2.0 SQLMembershipProvider to build a Forms Auth solution with SSRS, so I created a prototype to find out. Long story short, you can.

 

Here's a walkthrough which will leave you with the following:

 

• A make-believe web app which utilizes the VS 2005 Login controls to do Forms Authentication
• SSRS configured to use Forms Auth, too
• A modified SQL Reporting Services Forms Auth security extension which will use the SQLMembershipProvider
• SSRS and the web app able to "share" auth cookies -- Logon one place, and you automatically are authenticated on the other application

 

Disclaimers, warnings, and assumptions:

 

• I have not tested the "final product" of this walk-though in the real world. The only thing I can say is that it seems to work. You must perform your own due diligence to make sure my suggestions work for you, and that they make sense in your security environment.
• This walkthrough also assumes you have done nothing with Membership on your machine yet...If you've already set it up, some of these steps won't apply.
• You do have all the SSRS samples installed, right? If not, do not pass go.

 

Part 1: Basic Setup

 

After you're done with this "Basic Setup" section, both your web app and SSRS will utilize Forms Authentication. However, the two applications will *not* be integrated in any way (yet).

 

1. Work through this handy PAG paper to create your sample web app, configuring it to use SQLMembershipProvider:

https://msdn.microsoft.com/en-us/library/ms998317.aspx

 

NOTE: In step 4 of this article ("Create a New User"), make sure you write the username/password down -- you'll actually use them later when you're playing around with SSRS.

2. Test your work and make sure everything works per the article.

 

3. Browse to the C:\Program Files\Microsoft SQL Server\90\Samples\Reporting Services\Extension Samples\FormsAuthentication Sample folder, and follow the instructions in Readme_FormsAuthenication.htm to configure Forms Auth for SSRS

 

NOTE: In the "Testing the Sample" section of the instructions, pay attention to steps 3 and 4. Use the *same* username and password you created when setting up your sample web app just a little while ago.

 

4. Test SSRS and make sure that Forms Auth works.

 

FYI, in the previous two steps you're going to be doing some work that actually is wasted -- Namely, setting up a database / table that the SSRS security extension will use to store user names and passwords. Ultimately, the extension is going to leverage the database you created in step 1. But, go ahead, bite the bullet, and do this anyway -- you need to be 100% sure that SSRS Forms Auth is working BEFORE you try and integrate the SQLMembership provider.

Part 2: Modify SSRS to use SQLMembershipProvider

 

1. Crack open the Forms Authentication project (C:\Program Files\Microsoft SQL Server\90\Samples\Reporting Services\Extension Samples\FormsAuthentication Sample) again.

 

2. Add a reference to System.Web

 

3. Open AuthenticationExtension.cs, and add a using statement to the top of the class:

 

     using System.Web.Security;

  

   Next, find the LogonUser() method.

 

4. Replace the code in the method with this:

 

  if(Membership.ValidateUser(userName, password))

  {return true;}

   else

  { return false; }

         

5. Find IsValidPrincipalName()... replace the code you see with this:

 

  MembershipUser mUser;

  mUser= Membership.GetUser(principalName);

  if (mUser == null)

  {

    return false;

  }

  else

  {

    return true;

  }

         

6. Save your work, build the project, and re-deploy the security extension and its PDB file to same locations you copied it to while following the instructions in Readme_FormsAuthenication.htm.

 

7. Copy the <membership> section you used in Part 1, step 1 (setting up the web app) to your clipboard.

 

8. Backup the web.config file found in C:\Program Files\Microsoft SQL Server\MSSQL.?\Reporting Services\ReportServer folder.

 

    (? will equal a number between 1-X, representing where you installed SSRS...I don't know where that is)

 

9. Open web.config and paste the <membership> section right below the <authorization> section. Save it.

 

10. Navigate to C:\WINNT\Microsoft.NET\Framework\v2.0.50727\CONFIG (or wherever framework 2.0 is installed)

 

11. Backup machine.config

 

MAJOR LAMENESS ALERT

   

You've probably noticed that while you pasted in the <membership> element to web.config, you didn't also paste in the connection string that <membership> needs to connect to the user store. For some reason I just could not get this to work. If I pasted a connection string in, Report Manager would fail.

   

If you have the time or inclination to figure out if/where you can paste the connect string in web.config, let me know and I'll post your findings: This should work, but I just don’t have the patience to put the time in.

   

As a fallback, I'm just pasting the connect string into machine.config

12. Open up machine.config. Seach the file for an existing <connectionStrings> section. Mine was between the <runtime> and <system.data> sections. In my case, there was already a single connection string name "LocalSQLServer" defined.

 

13. Add the same connect string you used in Part 1, Step 1. My completely modified section looked like this:

 

  ...<runtime />

 

  <connectionStrings>

   <add name="LocalSqlServer" connectionString="data source=.\SQLEXPRESS;Integrated

    Security=SSPI;AttachDBFilename=|DataDirectory|aspnetdb.mdf;User Instance=true" providerName="System.Data.SqlClient" />

   <add name="foo" connectionString="data source=.;uid=sa;pwd=leave.MeAlone;database=aspnetdb" />

  </connectionStrings>

 

  <system.data>...

 

14. Save machine.config.

 

Browse to https://localhost/reports. If you copied everything correctly, SSRS should start and you should be provided with the SSRS login dialog. Go ahead and logon to make sure your changes work...You might also want to do something like rename the "SQL" users table you created in Part 1, Step 3, while setting up SSRS Forms Auth…by whacking this table, you can be sure that we're going against the SQLMembershipProvider store.

 

OK, so now you have SSRS working against the SQLMembershipProvider. We're almost home free.

 

Part 3: Allow SSRS and a web app to share cookies.

 

1. Read this:

 

   https://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconformsauthenticationacrossapplications.asp

  

2. Now that you've read the article above, you know that we need to modify web.config for both the web app and SSRS. You'll also be very aware that:

•  

    We'll make sure all the values in the <forms> section of each web.config file are identitcal

•    We'll add a <machinekey> element to both web.config files which contains the same value

•    We'll make sure that <machinekey> lives right under the <authentication> section.

   Here's the applicable portion of SSRS's web.config (found in C:\Program Files\Microsoft SQL Server\MSSQL.?\Reporting Services\ReportServer)

  

<authentication mode="Forms">

   <forms loginUrl="logon.aspx" name="sqlAuthCookie" timeout="60"

               path="/"></forms>

 </authentication>

   <machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1"/>

  

...and here's what the web.config for my web app looks like:

 

<authentication mode="Forms">

            <forms name="sqlAuthCookie" timeout="60"/>

</authentication>

<machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1"/>

 You’re done!

 

I’d suggest you modify the default.aspx page you created for your web app and put a command button on the form which will allow you to response.redirect to SSRS.

 

After you’ve done that, hit your web app and login. After you have logged in, you’ll redirected to default.aspx. Click the button on default.aspx, and voila, you’re inside SSRS…

Comments

• Anonymous
  January 18, 2006
  The comment has been removed

• Anonymous
  January 21, 2006
  The comment has been removed

• Anonymous
  February 14, 2006
  We are using a web app with our own custom authentication using cookies.  We want to be able to use that cookie to bypass the login screen when displaying a report to the user.  Is this possible and if yes, how?
  
  

• Anonymous
  February 20, 2006
  Hi
  It is a great tip.
  It works fine.
  One help required:
  In Report Manager, how do you assign roles to groups with Role Manager enabled?
  Presently, it is only taking usernames, but not accepting group names.
  I have membership and roles enabled in my application calling the report server.

• Anonymous
  February 22, 2006
  Yes, you can do this and it will happen automatically (the login screen will only be displayed if the cookie doesn't exist). See:
  
  http://blogs.msdn.com/bimusings/archive/2005/12/05/500195.aspx

• Anonymous
  February 22, 2006
  I haven't played with this, sorry.

• Anonymous
  February 27, 2006
  Hi,
  it is great to interoperate SQLmembershipprovider with RSS2005.
  But i need to hardcode the  Membership.ApplicationName of the website somewhere in the RSS2005.
  How if there are multiple website ( with different Membership.ApplicationName ) that need to access the same RSS2005 , but the RSS 2005 can only take one Membership.ApplicationName ?? ??
  PLease help....i stuck in this..thanks
   

• Anonymous
  March 01, 2006
  No, this wouldn't work...you essentially want o "multiplex" the user database, which we don't do...You couldn't do this in an ASP.NET app scenario, either.

• Anonymous
  March 02, 2006
  The comment has been removed

• Anonymous
  March 02, 2006
  Can you post the complete error message coming out of your log?

• Anonymous
  April 20, 2006
  Hi, I managed to get the FormsAuth to work from both (FormsAuth demo app) and the direct login to http://SERVERNAME/Reports.
  
  But I can't get it to work to use the cookie from the web app to automatically login to RS. The custom Login.aspx is shown every time after I try to redirect to http://SERVERNAME/Reports.
  
  I'm sure that I use only a single SQLServer tables users and I ca login with identical credentilas in both apps.
  
  How can I validate if the cookie is passed from ASP to RS?
  
  Is it possible to use the ReportViewer Control (ASP.net 2.0, ) in my ASP.net app and give the control the credentials from the forms auth?
  
  Thanks a lot,
  Dirk

• Anonymous
  April 21, 2006
  We are very thankfull for your step by step approach.  Everything works fine.  But i have situation, while accessing the Report Builder, its asking again userid and password.  How can i bypass that.

• Anonymous
  April 21, 2006
  Cannot find Readme_FormsAuthenication.html file and this directory. Can you post it?

• Anonymous
  April 21, 2006
  Sreeni -- There is no way to pass credentials to Report Builder if not using Windows Auth, so you will always be prompted for credentials in this scenario -- There is no way around it. Sorry.

• Anonymous
  April 24, 2006
  As i mentioned earlier i successfully implemented the forms authentication.  But i am getting the following error while generating the report using Report Builder.  "The permissions granted to user 'user1' are insufficient for performing this operation.  (rsAccessDenied)".
  
  Could you please help me out on this.

• Anonymous
  April 24, 2006
  The comment has been removed

• Anonymous
  April 25, 2006
  The comment has been removed

• Anonymous
  April 26, 2006
  The comment has been removed

• Anonymous
  May 04, 2006
  The comment has been removed

• Anonymous
  May 08, 2006
  How to add groups, after implementing the Forms Authentication? Is there any way where i can configure groups?

• Anonymous
  May 12, 2006
  I want to do authentication without using Login control.  Is that possible, if so what would be the code for that?

• Anonymous
  May 19, 2006
  The comment has been removed

• Anonymous
  June 20, 2006
  The comment has been removed

• Anonymous
  July 28, 2006
  The comment has been removed

• Anonymous
  August 01, 2006
  Reporting Services 2005, as like its predecessor but now without edition limits, allows the developers...

• Anonymous
  August 22, 2006
  Hi !
  I managed to get the custom authentication to work well for some time, but recently I've had a problem : it seems that the report server "loses" the informations about the user or it's profile after a random amount of time, and I get error messages like "The permissions granted to user '' are insufficient for performing this operation.  (rsAccessDenied)" either with an empty user name, or with the username when it has just lost the role.
  Would anybody have an idea about what is happening, and how to solve that ?

• Anonymous
  September 18, 2006
  Regarding the "object moved" error, if you are using ReportViewer you need to implement IReportServerCredentials. See the following article:
  
  http://msdn2.microsoft.com/en-us/library/microsoft.reporting.webforms.ireportservercredentials.aspx
  

• Anonymous
  October 19, 2006
  Phil passed along a blog entry from one of our SQL colleagues which mentions how to support Forms Authentication

• Anonymous
  November 09, 2006
  Did anyone figure out how to post the connection string in the web.config instead of the machine.config?  

• Anonymous
  November 27, 2006
  I have setup forms authentication for SQL 2005 RS and it works fine except for subscriptions.  If I subscribe to a report using Report Manager when logged in as a user other than the "Admin" defined in rsreportserver.config, the subscription fails.  I looked up the log files and found the following error:ReportingServicesService!library!d!11/27/2006-14:56:01:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.InternalCatalogException: An internal error occurred on the report server. See the error log for more details., ;Info: Microsoft.ReportingServices.Diagnostics.Utilities.InternalCatalogException: An internal error occurred on the report server. See the error log for more details. ---> System.Configuration.Provider.ProviderException: The Role Manager feature has not been enabled.  at System.Web.Security.Roles.GetRolesForUser(String username)...It goes on to list the "CheckAccess" method of my CustomSecurity module.How does the subscription delivery driver work with forms auth?It appears that subscription delivery does not recognize that role manager is enabled when Report Manager and my application both work fine with role manager.

• Anonymous
  November 30, 2006
  PingBack from http://charliem.wordpress.com/2006/11/30/forms-authentication-with-reporting-services-and-asp-authentication-provider/

• Anonymous
  December 20, 2006
  Put ConnectionString below ConfigSection in web.config file of ReportServer.It worked for me.SSRS's web.config (found in C:Program FilesMicrosoft SQL ServerMSSQL.?Reporting ServicesReportServer)<configuration> <configSections>   <section name="RStrace" type="Microsoft.ReportingServices.Diagnostics.RSTraceSectionHandler,Microsoft.ReportingServices.Diagnostics" /> </configSections> <connectionStrings>   <add name="MyLocalSQLServer" connectionString="Initial Catalog=aspnetdb;data source=blre331;Integrated Security=SSPI;" /> </connectionStrings>

• Anonymous
  February 05, 2007
  I dont have time for a lengthy post, so here is some link-love for some great articles that have helped

• Anonymous
  March 19, 2007
  I understand the authentication extension that has been done in the samples I've seen.  However, I haven't understood the authorization framework in a way that makes it useful for a project my company is building.  We'd like to use authorization from an external website's security model.  We'll know the username with an authorization security extension in CheckAccess, GetPermissions, but want to use the authorization from an external source. All we seem to have access to in the IAuthorizationExtension interface is the ACL for a given item, not any other information about the item ( such as its path or name ) except for its type.  How should the ACLs be managed for the items?  I'd like to avoid the users using Reporting Services web site to have to manage a separate authorization system from the external website's authorization system.

• Anonymous
  March 27, 2007
  The comment has been removed

• Anonymous
  April 16, 2007
  How do you programmatically set permissions using the RSS2005 WebService? There is only a GetPermissions method and a SetProperties() method. But there is no 'security' property.I want to give write access to Report Builder users to save to their own folders and read access to the suborganization folder that they belong to etc.I cannot use the 'My Reports' folder feature because it restricts them to their own folder but does not grant them read access to the suborganization folder.

• Anonymous
  April 16, 2007
  Sorry I found that I was supposed to use SetPolicies to set permissions. My next questions is, I am using ReportingService.asmx, but there's another service called ReportingService2005.asmx. What is the difference?

• Anonymous
  April 18, 2007
  ReportingService.asmx is the SSRS 2000 Webservice, which was kept around for backwards compat. You shouldn't use it if you can avoid doing so, however as it will probably "go away" in the next version of SQL.

• Anonymous
  April 22, 2007
  Hi,I want do the Authorization in form Authentication.Only user can access this much reports that belonging in to the particular Reply.

• Anonymous
  May 09, 2007
  I have Forms authentication working fine, but when deploying Reports using Visual Studio it fails to display a login popup, with error "The permissions granted to user '' are insufficient for performing this operation.What's the solution?

• Anonymous
  June 11, 2007
  How to set the authentication mode to SSRS.

• Anonymous
  July 10, 2007
  HiNice article.  I have a problem with report manager, when I login to it I get redirected back to the UILogin.aspx even though the CustomSecurity extension try to redirect to the Folder.aspx.  Any ideas why this would happen?  I can login to the Report Server with out any problem.Thanks

• Anonymous
  July 10, 2007
  Report Builder prompts for credentials every time it is launched. Is there any way to skip this since in my web app, the user has already entered his credentials once?

• Anonymous
  July 11, 2007
  SwissToni, I'm guessing you initially navigatge to SSRS using "http://localhost/Reports" instead of "http://machineName/Reports". If you don't use the machinename, you can see this behavior.

• Anonymous
  July 11, 2007
  Hi DS -If you use any sort of authentication mechanism beyond Windows in SSRS, Report Builder will always prompt for credentials. There are discussions of this elsewhere on the blog.

• Anonymous
  July 11, 2007
  The comment has been removed

• Anonymous
  July 12, 2007
  Hi Russell,That was the problem.  Many thanks.

• Anonymous
  July 16, 2007
  The comment has been removed

• Anonymous
  July 17, 2007
  You're not in SharePoint Integrated mode, are you? Also, are you calling LogonUser before you call the other SSRS web service methods?

• Anonymous
  July 18, 2007
  Thanks a lot for the reply.No, I was not in the SharePoint Integrated mode but I know that for the same issue in the SharePoint Integrated mode with the Forms Authentication, Microsoft has given a hotfix (KB 939942) on 16th july 2007.For more information, visit the following link:http://connect.microsoft.com/SQLServer/feedback/ViewFeedback.aspx?FeedbackID=278056Now coming back to my problem, I got this one resolved. I discovered that the credentials/cookie of my ReportingServices2005 object were not getting set properly. This are getting set properly now and things are working fine.DS

• Anonymous
  August 03, 2007
  The comment has been removed

• Anonymous
  August 06, 2007
  I've successfully implemented a forms custom security extension to authenticate against our LDAP server.However, deployment via Visual Studio fails due to insufficient permissions and does not prompt for login credentials to the server.Is there any way to deploy directly from Visual Studio while using Forms authentication?

• Anonymous
  October 10, 2007
  I am using Sql server 2005 reporting services. I have created reports on server. I want -- to connect reportserver from client's PC and Reports with Records should come logged in User wise. This I want to place on different panes, as this happens with Google Analytics and msn sites.

• Anonymous
  October 10, 2007
  Hi - Reporting Services isn't an analytics suite, it's a reporting tool. You're not going to find all the fun dynamic drag-and-drop stuff because it's not meant for that purpose.

• Anonymous
  October 18, 2007
  Hi, I'm not using the SQL membership provider im using an LDAP membership. Will this solution work with this also?

• Anonymous
  October 19, 2007
  Sure, but you'll have to re-write your code to talk to the LDAP provider.

• Anonymous
  October 21, 2007
  Hi thereI am trying to follow steps above, but at step 3, where i compile the sample application I get and wrror when browsing to the report server : http://<report server>/reports. The error is "loginURL is not a valid site element"What am i doing wrong?thanks in advanceKrishni

• Anonymous
  October 22, 2007
  hi thereI have managed to get the application working....yay. BUT i can only log on with the admin credentials while if I use a normal user then I get the following error when trying to use normal user credentialsSystem.Web.Services.Protocols.SoapException: Logon failed. ---> Microsoft.ReportingServices.Diagnostics.Utilities.LogonFailedException: Logon failed. at Microsoft.ReportingServices.WebServer.RSCustomAuthentication.LogonUser(String userName, String password, String authority) at Microsoft.ReportingServices.WebServer.ReportingService2005.LogonUser(String userName, String password, String authority) --- End of inner exception stack trace --- at Microsoft.ReportingServices.WebServer.ReportingService2005.LogonUser(String userName, String password, String authority)any help will be appreciatedKrishni

• Anonymous
  October 25, 2007
  I have successfully completed form authenication with and without LDAP provider.How do i call the function SetPolicies?When someone logs into the system, I want to set there role to browser. but I can't get it to work. Any ideas?           Dim test As Microsoft.Samples.ReportingServices.CustomSecurity.ReportingService2005           Dim Item As String = "/"           Dim Policies(0) As Microsoft.Samples.ReportingServices.CustomSecurity.Policy           Policies(0) = New Microsoft.Samples.ReportingServices.CustomSecurity.Policy           Policies(0).GroupUserName = TxtUser.ToString           'Policies(0).Roles = New Microsoft.Samples.ReportingServices.CustomSecurity.Role(0) {}           Policies(0).Roles(0) = New Microsoft.Samples.ReportingServices.CustomSecurity.Role           Policies(0).Roles(0).Name = "Browser"           Policies(0).Roles(0).Description = "May view folders, reports and subscribe to reports."           test.SetPolicies(Item, Policies)

• Anonymous
  November 14, 2007
  The comment has been removed

• Anonymous
  November 29, 2007
  Hi RussellI would like to thank you for this nice blog post. This has been helping me a lot and saving tons of my time.I am wondering whether you have any time to answser/comment on the below questions.How can we deploy a SSRS 2005 Report Model or a Report (RDL) to the Report Manager using Visual Studio 2005 while FORMS AUTHENTICATION + SQL MEMBER PROVIDER is on ?How can I upload the Report Model using Report Manager (I tried your sugggestions but no luck), Can you please provide more specific instructions on how to merge these files? Thanks in advance.PavaniEmail: pvajjala@doubleknot.com

• Anonymous
  January 04, 2008
  I tried to edit the connection string into both web.config in ReportManager & ReportServer. Its been two days I have been trying to input a connection string until i read your"MAJOR LAMENESS ALERT"I got it compile, but during run time when my object trying to grab the connection string. It is not there.

• Anonymous
  January 18, 2008
  Hi, nice discussion...I would also ask a question about the security context with wich a deployment is made from VS2005, which challenged me once and now those credentials are stowed somewhere and I so want to change the user, because I have subsequently created a security model to suit my situation.  If I deploy with my "currently stowed away user credentials" I have to add that account to the Publisher role, which is not what I want.  I would like to change the user?  Howz this done?  Thanks in advance!

• Anonymous
  March 13, 2008
  The comment has been removed

• Anonymous
  March 13, 2008
  Just a question for everyone: Anyone figured out how to deploy Data Sources and Report Models from Visual Studio 2005 when SSRS is in Forms Authentication mode?  I get prompted to enter user name and password but it's not able to connect to the report server.Thanks,Krip

• Anonymous
  May 28, 2008
  PingBack from http://mhinze.com/links-today-2008-05-28/

• Anonymous
  June 06, 2008
  I am able to authenticate to reporting service using the logonuser method. I call this methode from the reportproxy object while loggin in my custom application. But when I try to access the report catalog using the listchildren method it gives me an "Object moved to here" error. Any help will be appreciated.

• Anonymous
  June 25, 2008
  Great article. Will be trying soon...

• Anonymous
  July 16, 2008
  Generic lexapro. Lexapro. Lexapro focalin xr.

• Anonymous
  November 19, 2008
  registered Admin, cannot login.Russell, do you still check this article/blog?If so, I can give more detail.Thanks,Jon

• Anonymous
  February 04, 2010
  Russel, I was getting an error "object moved" while working with forms authentication in both. The issue was I din't configure the machine key. Thanks a lot.

• Anonymous
  August 06, 2010
  Hi, I have done the same.. but getting the problem at " string cookieName = response.Headers["RSAuthenticationHeader"];" . This particular key name is not existed in the "Headers" and given null value. I am not getting this one. Please help me out in this issue. I followed the steps you mentioned. Let me know if i miss any...

• Anonymous
  January 16, 2011
  Hi, actualy I've got this working. Accessing the ReportManager Website with a browser everything works fine. But: Using ReportViewer or accessing a webservice the result is that not text/xml is received but text/html Any suggestions? SQL Server 2008 R2

• Anonymous
  October 16, 2011
  I want publish ssrs report in cliam based authentication.. can any one help me..