Accessing a report anonymously in SQL Reporting Services 2000
I've worked with several customers who use a custom authentication scheme in their enterprise, and therefore couldn't secure Reporting Services using Windows Authentication. Some of these folk also didn't want to write their own custom security extension or use/modify Microsoft's forms authentication sample found at https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsql2k/html/ufairs.asp
Instead, they wanted a simple way to allow their users to access reports anonymously without opening SSRS up to every hacker-wannabe on earth. The problem is obvious: if you turn anonymous access ON for the /Reports and /ReportServer vdirs, everyone comes in with the exact same level of permissions. Either everyone is a Browser, or a Content Manager, for example.
I've been playing around with this scenario for a while, and never came up with an even somewhat acceptable workaround. Well, Larry Clark (a member of our national Tech Team) came up with a pretty good solution. Thanks Larry!
Limitations:
- The reports you access anonymously must use stored credentials
- The user must navigate directly to the report with an URL Access string versus using Report Manager
Warnings:
- We tell people not to mess around with the properties of the Reporting Services vdirs for good reason. If you change them, or "workaround" them in any fashion you can open yourself up to all sorts of nasty stuff. It's questionable whether I'd use this technique in a production Internet-facing scenario…I probably wouldn't.
- This technique has NOT been tested in the real world: I'd advise you not to be the first, either.
That being said, here's how it's done:
1. Use the IIS Manager Snap-in to save the configuration of the /ReportServer vdir to a file (right-click /ReportServer | All Tasks | Save Configuration to a File).
2. Create a new vdir (I named mine /ReportServerAnon) based on the saved file.
3. Using the snap-in, enable anonymous access on the new vdir and de-select Integrated Windows Authentication (you're doing this work against /ReportServerAnon, right? NOT /ReportServer!).
4. Back in Report Manager, grant I_USER Browser permissions on the particular report(s) you want an anonymous user be able to run
5. Provide your users with a direct URL to the report(s) in question. The URL will utilize the /ReportServerAnon vdir versus the standard /ReportServer vdir. For example, while testing this, I used:
https://someMachineName/ReportServerAnon?/samplereports/report1
Comments
- Anonymous
November 04, 2005
Excellent, I am new to IIS. I followed the instructions and it did exactly what it said.
What more can i say, Thank you. - Anonymous
January 05, 2006
Nice work around. Speaking of work arounds... is there a good way to secure querystring parameters being passed into report? I don't want users tampering with the querystring for reports they run. - Anonymous
January 05, 2006
Hi Rob --
Tudor has a good disucssion on this subject, here:
http://blogs.msdn.com/tudortr/archive/2004/07/20/189398.aspx
The long and short of things is you shouldn't use parameters as a way to transfer or filter "sensitive" data. If you must, use a POST along with https. - Anonymous
June 01, 2006
I know it's been a long time, but this workaround doesn't seem to work in RS 2005.
I've set up anon access for /reportserver, so folks on my intranet can view (my dev server is in a different domain than our users - company policy).
All works well until I try to deploy from VS2005. If I take anon access off, the deploy works.
Any ideas? - Anonymous
June 06, 2006
It sounds like I_USER needs permissions to publish -- Right now you are only giving it permissions to browse / run reports...just change this in Report Manager....But you have to remember that now ANYONE can publish reports to your server... - Anonymous
June 27, 2007
(migrated post from November 21st, 2006) Who ever has worked with SQL 2000 Reporting Services know that