Share via

Data Source Credentials, Double Hop, SA Role

John Abel 211 Reputation points
2020-09-29T19:10:14.32+00:00

Greetings, have a 2019 install of SSRS which I have a data source on another SQL Server, so when I set the credentials for the data source to be "as the user viewing the report" it fails and I believe this is due to the double hop as we do not have kerberos authentication configured. When I set the data source to "use the following credentials" and use a windows account, this works only if the account is in the SA role on the database server, any other role I tried I get an error as it is trying to run an "execute as" behind the scenes. When I leave the data source configured with the windows account with the SA role, and run a trace I can see that the database access is being done by the user running the report, not the windows account in the SA role. I have the check box "log in using these credentials, but then try to impersonate the user viewing the report" checked, so it appears to be doing just that. My question is how this is getting around the double hop problem and is it opening anything else up by having that data source use an SA account?? We can further restrict permissions in SSRS and looks like I can use database permissions but I would prefer not to have the data sources configured this way. I can't get kerberos authentication here. See screenshot below of the settings
29139-dsconn.png

SQL Server Reporting Services
SQL Server Reporting Services
A SQL Server technology that supports the creation, management, and delivery of both traditional, paper-oriented reports and interactive, web-based reports.
3,065 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joyzhao-MSFT 15,636 Reputation points
    2020-09-30T02:05:13.937+00:00

    Hi,
    For double hop issue , you could look at : The Double-Hop Authentication Problem
    But I as know to work around it, we need to use kerberos.
    This is also a very detailed solution guidance at :
    Configure Kerberos Authentication for Reporting Services
    Regards,
    Joy

    If the answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. John Abel 211 Reputation points
    2020-09-30T13:11:52.543+00:00

    Thanks for the reply, but kerberos is not something the domain admin is likely to take on here. My question is how this is getting around the double hop problem by the configuration I have, and is it opening anything else up by having that data source use an SA account??

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.