Why doesn't IIS's Windows/Integrated Authentication deliver user credentials to SSRS and SQL?

asp.net entity-framework iis reporting-services web-services

Accepted Answer

Windows or integrated authentication just indicates that the user has been verified using their Windows credentials (or token), not that the request is being processed on their behalf. Unless you enable the ASP.NET run-time to mimic a different identity, the request will be processed by the worker process (App Pool) identity.

Therefore, the server is operating under your identity when you view the site using the development server, and connection to SSRS and SQL Server is made under your identity and is successful.

When you loaded your website in IIS, the application pool's defined identity would be used to execute ASP.NET requests. This identity is typically a local user, thus access to network resources like SSRS or SQL Server would be prohibited. Adding<identity impersonate="true" username="your name" ../> Since ASP.NET will process requests using your identity, both SSRS and SQL Server should function as expected.

Here's the strange case:<identity impersonate="true" /> - With this option selected, ASP.NET will mimic a windows identity that is presently authorized. However, you must set up IIS and ASP.NET with integrated authentication and block anonymous access for this to function properly (in ASP.NET as well as IIS). If this isn't done, the current user's identity may not be authenticated, and the request could instead be processed using an anonymous user's identity (as configured in IIS). Identity would not be sent to the ASP.NET request if integrated authentication was marked in IIS but not in ASP.NET. Your ASP.NET request was operating under a credential that allows access to SQL Server but not to SSRS, thus you will need to review your setup to determine the specific circumstance you encountered.

9/16/2011 7:19:13 AM

Popular Answer

The "double hop" problem, which states that your credentials can only be used twice, is another thing you need to be aware of.

If you are using Windows Authentication and impersonation to visit a website, the website may contact another service in your place. Your credentials cannot be sent on again if the other service is a different website (such as Reporting Services), which in turn contacts a different service (such as a database). This implies that if the database needs user credentials, it will raise an error.

Related Questions


Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow
Licensed under: CC-BY-SA with attribution
Not affiliated with Stack Overflow