1. create a custom authentication extension for reporting services
2. create a restricted domain user that is allowed to access the report server
Going with approach 2 and assuming I'm using a ReportViewer control, in order to authenticate with the report server (using the one domain user created specifically for report server access), are we supposed to just provide an instance of an object implementing IReportServerCredential containing the domain user information to the Credentials property of the ReportViewer.ServerReport before accessing the report? Is this the correct way to implement approach 2? Also, if implementing approach 2 is so simple compared to approach 1, why would anyone choose to implement custom authentication extension if they don't need fine-grain access control on the report server level?
Thanks for any help and suggestions!If you use IReportServerCredential you essentially implement basic security since you need the user id and password. Instead, I'd recommend you use the identity of the asp.net process (application domain in IIS 6.0). You will need custom security if you need to propagate the user identity to the Report Server so RS can tell the users appart. If you don't need this then trusted account will be the recommended approach. You may find the following article useful.|||Thanks for the reply, Teo.
I read the article. So are you recommending that we run the ASP.Net process, hosting our custom application, under some domain account to grant it access to RS? Are there any security risks using this approach where we are granting the process (and all applications running under it in IIS 5.0, and at least the entire application pool itself in IIS 6.0) domain access? Or am I just misunderstanding this approach entirely? Thanks again for the help!|||Just to note that it doesn't have to be a domain account if the app and RS are on the same machine. Inherently, this approach is more secure because you don't need to deal with passwords.|||Hi Teo, thanks again for the reply.
The App and RS will be on separate machines. The App will be on a internet-facing webserver, whereas RS will be somewhere in an domain-access only machine. So I'm guessing I must run the App under a domain account.
How safe it is to have the domain account's user/pass stored in an encrypted .config file on the webserver machine, which would be read and passed (ie. basic) to RS for authentication on an domain-access only machine? And since I'm only passing these credentials between machines within my domain, isn't the passing of the credentials quite safe? And also this way, isn't it safer that the process running the application does not have more rights than it should at any time, while access to domain/RS is granted to the user only on a on-demand basis?
Sorry for asking so many questions.. I just want to understand all the pros and cons of each approach. Thanks a lot for the patience!|||
So I'm guessing I must run the App under a domain account.
Yes, you are right.
How safe it is to have the domain account's user/pass stored in an encrypted .config file on the webserver machine, which would be read and passed (ie. basic) to RS for authentication on an domain-access only machine?
As I mentioned, if you use IReportCredentials in ReportViewer you are essentially using Windows Basic security. The credentials will be passed base64-encoded between the app server and RS. But since this is on your internal LAN, it may not be a huge security risk for you. We followed this pattern with our applicaton for clients who don't have AD. The ReportViewer would read the credentials from a security service (stored in encrypted format), decrypt them and set them on the call.
|||Hi Teo,Thanks a lot again for the reply.
As
I mentioned, if you use IReportCredentials in ReportViewer you are
essentially using Windows Basic security. The credentials will be
passed base64-encoded between the app server and RS.
Can I setup ReportServer to use SSL to even further secure this portion of the basic authentication within the LAN?
|||Sure, you can.|||Thanks, Teo.
Final question, can you tell me any security risks of running the asp.net under a domain account? Is there any possibility that that identity could be hijacked and maliciously used?|||None that I know of. With IIS 6.0 I recommend you set up a separate application pool. That way the domain identity will be scoped for the application only.|||Hi Teo,
You have answered all my questions. Thanks for all the replies you've given me on this thread. All your suggestions and pointers have been a great help. Thanks!!
No comments:
Post a Comment