question

JordanWilliams-6857 avatar image
0 Votes"
JordanWilliams-6857 asked YijingSun-MSFT edited

Report Builder can't connect to server with custom security extension (SSL Client Certificates)

I have successfully followed this sample guide to add custom forms authentication to SSRS 2019: Reporting Services Custom Security Sample for Power BI Report Server and SQL Reporting Services 2017. This consisted of a basic username/password login page before a user was given access to the report server.

I then modified it to accept SSL Client Certificates instead of username/password. My IIS server requires client certs and forwards incoming connections from external.url/reports/...reportserver to internal.url/reports/...reportserver. This requires the user to select a certificate that is then sent to the forms logon page, which then authenticates the certificate using the custom security extension. The user never sees the logon page themselves except for getting a 401 page when their certificate is not authorized.

You can only connect to SSRS via the external URL since that is the only way to get prompted for an SSL Client Certificate. If anyone knows a way to force SSRS to require client certificates on its own, please let me know as that would simplify this process significantly.

Using the sample extension as is with username/password auth, Report Builder is able to connect to the report server via internal.url/reportserver which then prompts the user for a username and password (inside Report Builder). I believe this behavior was enabled from SSRS's web.config having the following setting:

<authentication mode="Forms">
    ...
</authentication>

Using my modified custom security extension for SSL Client Certs, there is no way for the Report Builder to connect to SSRS.

Using the internal URL prompts the user for username/password (which does not exist, since the authentication extension only handles Client Certs). When trying to use the external URL with the goal of getting prompted for a SSL Client Cert, Report Builder fails to connect immediately.

I am stuck on how to enable Report Builder to connect to SSRS with a custom security extension (SSL Client Certificates) that requires passthrough from IIS before one can access the server/portal.




sql-server-reporting-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Joyzhao-MSFT avatar image
0 Votes"
Joyzhao-MSFT answered

Hi @JordanWilliams-6857 ,
Reporting Services Native mode uses the HTTP SSL (Secure Sockets Layer) service to establish encrypted connections to a report server. Transport Layer Security (TLS) was previously known as Secure Sockets Layer (SSL). If you have certificate (.cer) file installed in a local certificate store on the report server computer, you can bind the certificate to a Reporting Services URL reservation to support report server connections through an encrypted channel.
You must have a server certificate installed on the computer (client certificates are not supported). Reporting Services does not provide functionality for requesting, generating, downloading, or installing a certificate.
For more information, see Configure TLS connections on a native mode report server.
Best Regards,
Joy


If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.