Sharepoint 2019 with SSRS ReportViewer Web Part

Question

Hi, I'm currently migrating SQL 2012 and Sharepoint 2013 to their 2019 versions.

I'm having some issues however with the SSRS ReportViewer on Sharepoint 2019 and it's most likely a security issue.

My server configurations is, for both 2012/2013 and 2019 versions:

Server A: Hosts all the SQL Server components: DB Engine, SSIS, SSAS and SSRS Native
Server B: Hosts SharePoint Server

I'm not sure what is the security protocol that I'm using in SharePoint 2013, but I can see that Claims to Windows Token Service is running, and I can embed SSRS 2012 native reports without a problem, with the old ReportViewer web part.

On SharePoint 2019, I installed it with NTLM and I'm not sure it will work, and that's why I would like to understand what is the security protocol running on the 2012/2013 environments to see what I'm doing wrong on the new one. On Sharepoint 2019 installation I tried Negotiate (Kerberos) at first, but I couldn't even log into Sharepoint Central Administration after that, so I reinstalled it with NTLM.

I'm currently not able to reach the report server and I got 2 different messages when clicking the Load Parameters button on the Report Viewer web part, and tweaking permissions / properties:

1. Could not retrieve a valid Windows Identity
2. The request failed with HTTP status 401: Unauthorized

I also know that the C2WT service is not running on SharePoint 2019, I'm having an issue when going to Configure service accounts, with the error "Sorry, this site hasn't been shared with you". This account is a Managed Account and I was able to access this option, but not anymore... I'm not sure what happened. I also tried launch it with run as administrator, with no success.

Would appreciate some help to troubleshoot this problem efficiently.

Best regards

Answer 1

Hi, @Pedro Soares ,

Here are answers for some of your questions.

1. How to know the security protocol that I'm using in SharePoint 2013?
   As you have access to the Central Admin, Open the CA in browser. Click Manage Web applications > Select your web application > Authentication Provider (Ribbon option) > Click on Default(Zone Name)
   
2. Not sure if you are trying to deploy Kerberos on the new farm, if you want to do that, here are some articles for your reference: https://thesharepointfarm.com/2017/10/enabling-kerberos-sharepoint/
   https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/kerberos-authentication-planning
3. I'm having an issue when going to Configure service accounts, with the error "Sorry, this site hasn't been shared with you". This account is a Managed Account and I was able to access this option, but not anymore... Do you mean the issue is that you cannot manage the managed account? Can you access other locations in the CA with a farm administrator account?

---

If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

HI @Jerry Xu-MSFT ,

Thank you for the reply.

1. I've been able to check the Sharepoint 2013 and it's NTLM.
2. I would like to keep NTLM in Sharepoint 2019 as Kerberos is more complex and requires some work on the Active Directory, while I understand it's the recommended security protocol. Anyway, will I be able to keep NTLM and use the ReportViewer web part, as I was doing previously on Sharepoint 2013? I will need to activate the C2WT service, but I'm unable to do it, due to the problem below.
3. Yes, I'm able to navigate through the CA with the Farm Administrator Account, which is also member of the Administrators group of the sharepoint server. I've recorded the steps and I'm attaching them here

Answer 3

Number 3 is solved, it was s a DNS and browser issue.

I was able to start the Claims to Windows Token Service, but I'm unable to access the report, due to "Could not retrieve a valid Windows identity."

The report doesn't have any data source; it's just a dummy I've created.

Any thoughts are helpful. Thank you

Answer 4

I was able to get a read on the logs and the error message is this:

05/21/2021 15:06:28.23 w3wp.exe (0x25F8) 0x23F8 SharePoint Foundation Security Token Service Caller bz7l Medium SPSecurityContext: Could not retrieve a valid windows identity for username 'NAV\BSC' with UPN 'BSC@Nav .priv'. UPN is required when Kerberos constrained delegation is used so throwing. Exception: 'System.ArgumentException: Token cannot be zero. at System.Security.Principal.WindowsIdentity.CreateFromToken(IntPtr userToken) at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken, String authType, Int32 isAuthenticated) at System.Security.Principal.WindowsIdentity..ctor(IntPtr userToken) at Microsoft.IdentityModel.WindowsTokenService.S4UClient.CallService(Func`2 contractOperation) at Microsoft.SharePoint.SPSecurityContext.GetWindowsIdentity()'. c816ca9f-8ef5-f09d-d433-a66b45addf85

This might hint that the C2WTS service account can’t perform the S4ULogon (Service for User Logon) and can’t take the claim identity and convert it to a windows token. Do I need to give any permission for this account?

Answer 5

Hi,

Back to this issue. I installed a new SSRS instance in the same machine as sharepoint and it works correctly, so the issue is really delegating credentials from server B, where Sharepoint 2019 is, to A, where SSRS 2019 is.

Anyway, I would like to know if it would be recommended to keep SSRS close to Sharepoint (ie, the same server) or to keep it in the SQL Server Box (SSIS, SQL DB Engine, SSAS) (server A)?

In this case the service account running the C2WTS needs to be configured in the AD to be able delegate to the service account running SSRS, correct?

Thank you