Tag Archives: Security

View Permissions for Reporting Services in SharePoint Integrated Mode

Posted on by
Reply

Setting up security for SSRS in SharePoint integrated mode can be a bit tricky, particularly if you want to set up some of your users to only be able to run reports, but not to be able to modify or change them. I found a great post explaining how to create a Reporting group in SharePoint:

http://agilebi.com/cs/blogs/jwelch/archive/2009/07/10/view-permissions-for-reporting-services-in-sharepoint-integrated-mode.aspx

GPO: disable Office ribbon Menu items

Posted on by
1

Problem:

  • I needed to disable a menu item in Excel 2007.

Resolution:

  • First of all download the ADM(X) templates for Office 2007 (keep in mind I am using server 2008). You can download them here
  • Extract it to a folder, and then copy the contents of the admx folder to C:\Windows\PolicyDefinitions
  • Open your Group Policy Editor (gpmc.msc), and make a new Group Policy (I named it “Office GPO”
  • If you browse to [User Configuration], [Administrative Templates], you will see all the Office Policy Definitions.
    Office Policy Definitions
  • My task was to disable the Menu Items “From Other Sources”, “Existing Connections” and “Connection”.
    You can disable menu items under the group policy setting:
    [Administrative Templates\Microsoft Office Excel 2007\Disable Items in User Interface\Custom\Disable Commands\
  • The Disable Commands works with ID numbers, you can find these here
    For my problem I had to disable ID’s: 11205, 12495 and 12496

    Disable Command Properties

Kerberos fails when using CNAME records

Posted on by
2

If you’re in the middle of implementing Kerberos for something, remember that Kerberos authentication fails whenever you use CNAME records in DNS, instead of A-Records.

Why is this?

This is because whenever for example IE asks AD: “which account has a SPN registration for kerberos.marcvalk.net”, and kerberos.marcvalk.net is an CNAME for IIS_Server.marcvalk.net, the reply will be IIS_Server.marcvalk.net and not the service account.

So you’ll probably see an pop-up authentication box, with a title of IIS_Server.marcvalk.net and not the correct hostheader kerberos.marcvalk.net.

IE8 Security Warning HTTPS content

Posted on by
13

Since I upgraded to IE8, I’ve been a bit annoyed with the this security warning:

image

It states: “Do you want to view only the webpage content that was delivered securely”. The first time I just pressed Yes, by pressing [Enter] on my keyboard (without reading the warning correctly), which obviously rendered me a incomplete page.

Note to Steve Balmer:
Why change this button press behavior Microsoft, just to let us read dialogs? It will cost time every time we have to read such a dialog, and as you know.. time is money :-)

Since then the warning came up a few times. So I’ve you want to disable this warning the change this:
in IE8, go to [Tools], [internet options] , [security] , [custom level]
and change [display mixed content] to “enable”

image

Settings will take effect after a restart of IE.

*edit after comment
I’m not saying that you should disable the warning. If you find it annoying, you can disable it.
The “old” dialog was different:
image
As you can see, this is the other way around. The changed it.
What you do with it is your choice.

DelegConfig v2

Posted on by
Reply

A new version of the Kerberos tool DelegConfig is ready. Download it here.

Notable Features:

  • Supports IIS 7.0 (useKernelMode / useAppPoolCredentials)

  • Allows adding backend servers of type UNC, HTTP, LDAP, OLAP, SQL, SSAS, and RDP

  • Allows chaining of multiple hops (versus only a single backend)

  • Performs duplicate SPN check against all trusted domains.

  • /Set/SPNs.aspx – Allows adding and removing of ServicePrincipalNames

  • /Set/Delegation.aspx – Allows changing Trust for Delegation settings.

  • /Set/Providers.aspx – Allows correcting of inadequate NTAuthenticationProviders settings.

  • /Report.aspx – Gives a picture of what is right and what is wrong.

  • /Wizard.aspx – A set of wizard steps that supports adding more tiers to /Report.aspx.

  • /Test.aspx – Allows double-hop tests for webServer-to-Sql or webServer-to-fileServer or webServer-to-webServer

Document explaining Kerberos & Double Hop

Posted on by
Reply

A nice document explaining Kerberos, the double hop issue and what to do about it. It is also using an example with Reporting Server, Analysis Server and Sharepoint.

Check it out @ http://www.ssas-info.com/analysis-services-articles/51-security/1492-enhanced-security-and-integration-of-microsoft-bi-solutions-with-kerberos

written by Mark Dasco and Boyan Penev

Sharepoint and SSRS integration

Posted on by
6

Integrating reports in dashboards is hot. If you’re organization isn’t analyzing all the data it is gathering to answer questions about your business, you’re going to fall behind. If you have SharePoint , you can integrate Reporting Server and Analysis Server with it (I am not going to tell how to work with SSRS, there is someone who is much better at that).

This is my Server environment:

 image

AD_SRV     : Active Directory Server
SP_SRV      : Sharepoint Server
SQL_SRV   : SQL Server (Sharepoint Configuration Database)
REP_SRV  : Reporting Server (SSRS)

As you can see we will run into the double hop problem. In short: the credentials which are passed into IIS (Sharepoint) cannot be passed to another machine (SSRS) for authentication. You can solve this by using the Kerberos Protocol. This is what I am gonna try to explain :-)

What do you need:

  • Domain Service Account (the account of the Sharepoint Web App Application Pool). Let’s say: srvAccount
  • Microsoft SQL Server 2008 Reporting Services add-in for Microsoft Sharepoint Technologies (download here, see to it that you take the correct version i.e. x86 or x64)

First of all install the Sharepoint Object Model on the SSRS Server, if you don’t you will receive an error like:
The configuration paramter SharePointIntegrated is set to true but Share Point Object Model cannot be loaded.
Use the Service Account srvAccount
Also install .Net version 3.5 and the Windows Installer update (the setup will do that)

Then make sure that the srvAccount can create SPN’s dynamically, see step 3 in this article from Microsoft.

I installed SSRS to run under the service account srvAccount.
Then to configure the reporting server (start the Reporting Services Configuration Manager):

  • Create a new database (I installed it on srvAccount).
    1. Choose “Integrated Security”
    2. Choose “Sharepoint Integrated Mode”
    3. At credentiails, choose "Service Credentials”
  • Create your Web-Service URL and your Report Manager URL (write these down somewhere, you will need them again)

Then install the Reporting Services Add-in on SP_SRV.

Next step is to configure the add-in:

  • start Sharepoint Central Administration, and click [Application Management]. There should be a section called “Reporting Services”, if it is not available, you have to enable it (Site Actions > Site Settings > Site Collection Features. Search for Report Server Integration Feature and click [Activate]). It’s possible that the feature isn’t there, then perform a installation in Files-Only Mode (see: http://technet.microsoft.com/en-us/library/aa905871.aspx).
  • Below section “Reporting Services”, click on [Manage Integration Settings]
  • Fill in the Web Service URL, you wrote down earlier in the field besides “Report Server Web Service URL”
  • Choose “Windows Authentication”
  • Click [OK]
  • Next click [Grant Database Access] (back at the section Reporting Services)
  • In the field “Server Name” fill in the name of the database server (i.e. REP_SRV) on which your reporting database runs
  • Click OK and  and fill in the username and password of your service account (srvAccount)

So.. now the Service Principal Names. Restart your SQL Server Service on SQL_SRV, so that it will register it’s SPN’s dynamically.
The following SPN’s we’re registered manually by me:

  • setspn –a HTTP/<FQDN of REP_SRV> <domain>\srvAccount
  • setspn –a HTTP/<NETBIOS Name of REP_SRV> <domain>\srvAccount

As you’ve done the SPN’s, you’re able to trust the srvAccount for delegation. In Active Directory, enable your service account to be trusted for delegation. Do the same for all your servers.

image

Now enable you’re SharePoint web application for Kerberos:

  • Open Central Administration
  • Navigation to Application Management > Authentication Providers
  • Choose the web application you wish to configure from the drop-down in the top right corner (this includes the Central Administration web application)
  • Click on ‘Default’
  • Set the authentication to Negotiate (Kerberos)
  • IISRESET

Last step: on your reporting server open rsreportserver.config (located in C:\Program Files\Microsoft SQL Server\MSRS10.MSSQLSERVER\Reporting Services\ReportServer”
Find the tag:

<AuthenticationTypes>
            <RSWindowsNTLM/>
</AuthenticationTypes?

Change RSWindowsNTLM to RSWindowsNegotiate.

So, I hope I forgot nothing, happy reporting :-)

Note: You can secure your kerberos environment some more, I showed you how to trust a user for delegation. I went for the option “Trust this user for delegation to any service (Kerberos only)”, you can also choose to go for “Trust this user for delegation to specified services only”. With this option you will dedicate some services allowed for the user (like http, cifs, etc….).

Some Websites which could be useful:
Tool for helping to troubleshoot Kerberos
Reza Alirezaei’s blog
Steve Caravaial’s blog
Winsmarts.com