We are upgrading to SSRS 2008 R2 on 2008 Server. We have a production environment that prevents us from having local admin permissions for accounts. We have been told that we can only have a batch level service account. I assume[d] the Content Manager and System Administrator role can run under this account however we can't seem to get ReportManager running without local admin. The SSRS database is installed on a separate box.
I'm hoping someone has a set of steps or reference to how we can configure this to work without local admin.
thanks
Marty
When installing SSRS by default there is no place to enter ssrs manager or ssrs credentials. Just set up the endpoints, database, email and a low level account. You would need an admin account initially to access the report manager once. During this time other system level accounts can be created that can match to your admins batch user requirements. I would propose two accounts for the SSRS box.
1. Report User - Can Run Reports Can View
2. Report Admin - Can Update Defs. Can Run Reports
Then deploy reports using ReportAdmin and request reports using ReportUser.
Related
Hi I am new to SAP Business Object Central Management Console and trying to schedule a crystal report. For this I made an ODBC connection to a database(NCBODS) in the Server machine using windows authentication. I also gave same windows credentials in CMC as shown in below image. But It gives me an error saying
Error Message:
Error in File C:\Program Files\Business Objects\BusinessObjects Enterprise 11.5\Data\procSched\SDDVCTRTRCH11.reportjobserver\~tmp5448125TH7b9b16.rpt: Unable to connect: incorrect log on parameters. Details: [Database Vendor Code: 18456 ]
I have given the same windows credentials that I use to connect to the app server. Still I am getting "incorrect log on parameters"
But when I use a SQL Authenticated Login in the ODBC connection and also use the same SQL Login credentials in CMC it works fine.
So the problem here is when I use the windows credentials it throws error but works fine when SQL credentials are used. Is there any way I can use windows credentials in CMC?? I really appreciate if any one can help me on this
If you create an ODBC DSN with authentication set to trusted connection (Windows authentication), be aware that a different account will be used when creating the DSN and when using it in BusinessObjects:
When creating the connection: the DSN is created using the credentials you're logged on with (i.e. your Windows AD user account)
When running a report: the connection to the database is initiated through BusinessObjects, thus the account which BusinessObjects is running with, will be used to connect to the database.
In other words, you need to make sure that following requirements are met:
Your SIA (Server Intelligence Agent) which runs your CMS, Crystal Reports servers, etc must be configured to run with an Active Directory service account. By default, it runs with the Local System Account, which will not be able to log on to your database (as it's a local account, it's not even able to access network resources).
You need to grant the service account you used to configure the SIA in step 1 the necessary rights to your database.
Remarks:
If you're using AD SSO, you cannot schedule the report so that it uses the Active Directory credentials of a certain user (because BOBJ doesn't store these credentials, it only verifies them at logon).
If you're not using AD SSO, but are authenticating users to the BusinessObjects platform (InfoView) with manual AD authentication, you can set the option Synchronization of Credentials. This forces BOBJ to store the AD credentials when the user authenticates.
The credentials are stored in the user profile (Database Credentials).
Logging in as administrator to Window 2008 R2 I can access all files on the server, naturally.
If I then login to SQL Server 2008 R2 as sa, I cannot access some flat files, for example, to Restore or dump data via bcp. (I can access all flat files via Import/Export Wizard though.)
I end up moving backup files around the file system until I find somewhere that works, or dumping data files to places I would prefer not to use.
How do I give sysadmin rights to these forbidden folders?
Why would my predecessor have blocked sysadmin access to these areas, do you think?
It's because when you are logged into SQL server as SA, you are the admin for SQL server, not the Windows server itself.
You are constrained to what the SQL server service account has rights to access on the machine as that is the context in which SQL server runs.
To be able to access these windows locations from within SQL server, first identify the name of the service account that is actually running the SQL server service and then give the permissions on the folders to this account.
To find the SQL Server service account, you can query the sys.dm_server_services DMV to find the account:
SELECT * FROM sys.dm_server_services
This will show you the service account set for each service, alternatively, you could just look in either the services console in Windows or SQL server configuration manager to see what account the SQL server is logging on as.
This DMV was introduded in SQL Server 2008 R2 SP1, so won't work in earlier versions, the following article has some information on various ways to find the service account:
Get SQL Server Service Account using T-SQL
I am running an instance of Reporting Services 2008 R2 and would like to customize the Browser role. By default, that role is allowed to view folders, reports and subscribe to reports. I want to remove the ability of users in the Browser role to subscribe to reports.
Please let me know if this role modification is possible. If not, is there a way to create a new role that can only view folders and reports?
You can accomplish this easily, but the path to this feature is a little unusual. To change the security like this you need to use SQL Server Management Studio to connect to SSRS:
Server type: Reporting Services
Server name: http://servername/reportserver
Once connected you can expand the Security folder and then the Roles folder to display your roles. Double click on "Browser" to get a properties window that should be straight forward. The task you want to deselect is "Manage individual subscriptions."
I have few SSRS 2008 reports. Databases are CRM databases. I have created a group of 10 users. Each user has different permissions(user can see data of only those databases which he has access from CRM side security).
When user tried to see reports from his place(machine) every time he gets this error.
An error has occurred during report processing. (rsProcessingAborted)
Cannot create a connection to data source 'DB_NAME'. (rsErrorOpeningConnection)
Cannot open database "CRM_Database" requested by the login. The login failed. Login failed for user 'NTAUTHORITY\ANONYMOUS LOGON'.
I am using windows authentication. within the server reports are working fine. Outside the server we are getting this error.i got few suggestions that its a double hop issue.Solutions can be :
Use stored credential. (In my case I can't use because every user has access to different database. He can select database in reports whatever he has access to and he will get data only for that database.)
Kerberos setting.( I don't know how to do that when you have Windows 7 and SQL 2008 R2)
Help would be appreciated.
"NTAUTHORITY\ANONYMOUS LOGON" is the built in IIS account on your report server. The reports are being executed from this account which serves up the page to the user.
Update your Data Source to use "Connect using: Credentials supplied by the user running the report" and checking "Use as Windows credentials" (Kerberos), if their AD account is setup with the appropriate DB permissions on the SQL Server. when connecting to the Data Source. Windows integrated security works also if you are on the domain.
Since you need to pass the user's account to the DB for authentication using credentials stored securely on server (Stored Credential) will not work for the scenario you describe as every user will hit the database with the same credentials.
I`m developing install application via Installshield Basic MSI Project
I have a little problem when granting "Log on as a service" permission
(Control panel -> Administrative tools -> Local Security Settings)
In Windows server 2003, NTRights.exe works fine.
In Windows server 2008 and 2008 R2, NTRight.exe also works fine but "NTRights.exe" is just part of "Windows server 2003 Toolkit"
I want to use another method.
Can Anyone do same thing using another way?
In a Service Panel, I have to set Logon account and password using end user input.
But Installshield supports just fixed id, password. It cannot be used.
How can i do this to set logon account?
Logon account information should be provided during installation
Check out this article. Once you understand it, just change it up a bit by using information from the second link.
Augmenting InstallShield using Windows Installer XML - Certificates
User Element (Util Extension)
Another approach using a WiX DTF custom action can be found at:
Different year, Same Problem...