Authentication over the internet

Last Post 04 Aug 2004 06:40 AM by Craig HB. 3 Replies.
AddThis - Bookmarking and Sharing Button Printer Friendly
  •  
  •  
  •  
  •  
  •  
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages
Craig HB
New Member
New Member

--
02 Aug 2004 12:24 AM
I am building an asp.net app that will use reporting services to show reports within the application. Users login to the application and when they need to see a report I use web services to render the report. The asp.net app and reporting services are on the same windows 2003 server (not using active directory).

Because reporting services uses Windows authentication and does not allow anonymous access, I have created a windows account (called "RSUser") that has access to my reports. When the user runs a report, I pass in the credentials for this windows account like this...

rs.Credentials = New System.Net.NetworkCredential("RSUser", "password", "domain")

This all works, and the report renders using the permissions from RSUser. The problem is that all the reports use treeviews for drill-down (and some use drill-through). When you expand a drill down you are prompted for a windows login. I think this is because this postback is now coming from the client PC, instead if from the asp.net app (i.e. on the server), and so reporting services needs to anthenticate this new user.

The only solution that I have found for this is developing a security extension for reporting services...

http://msdn.microsoft.com/library/?...irs_topic3

... but this seems like overkill and a very complicated process, and Microsoft says in the article that this is not fully tested and should not be used in a production environment (but that where I need it for).

Does anyone have a solution ?

Craig
xfonhe
New Member
New Member

--
04 Aug 2004 06:33 AM
Can you not used cached credntials in your ASP app?
Craig HB
New Member
New Member

--
04 Aug 2004 06:40 AM
no -- the problem is not when the asp app connects the reporting services, but when the user starts clicking on the report and that client has not been authenticated. i got a really good reply from the microsoft forum....


Craig,

You are right. You get prompted because the drilldown and drillthough
interactive features require URL acccess and request goes out on the client
side of the application.

In a nutshell, if your reports have interactive features you need to go for
URL access. For Internet-oriented apps this means writing a custom security
extension. It is not that involved to write and I have deployed an
application that uses a custom security extension in a production
environment. There are some gotchas to avoid but in general my experience
writing custom security extensions have been positive and you will learn a
lot about how RS handles authentication and authorization.

--
Hope this helps.
xfonhe
New Member
New Member

--
04 Aug 2004 06:50 AM
Good deal... thanks for the update.
You are not authorized to post a reply.

Acceptable Use Policy