"Walter Wang [MSFT]" said:Hi AG,
Sorry for the misunderstanding.
The new issue you mentioned is actually about how to make two IIS
server/web application accessing each other.
By default, a web application on IIS 6.0 runs in the default Application
Pool, which by default is running under the NETWORK SERVICE account. This
account is very limited, although it have network access, but you need to
grant it in either your local or remote sql/report server:
http://msdn2.microsoft.com/en-us/library/ms998320.aspx
<quote>
If you are accessing a database on another server in the same domain (or
in
a trusted domain), the Network Service account's network credentials are
used to authenticate to the database. The Network Service account's
credentials are of the form DomainName\AspNetServer$, where DomainName is
the domain of the ASP.NET server and AspNetServer is your Web server name.
For example, if your ASP.NET application runs on a server named SVR1 in
the
domain CONTOSO, the SQL Server sees a database access request from
CONTOSO\SVR1$.
To access a remote SQL Server using Network Service
To grant access to a remote database server in the same domain or a
trusted
domain, follow the steps described earlier for a local database, except in
step 4, use the DomainName\AspNetServer$ account to create the database
login.
</quote>
Also:
http://msdn2.microsoft.com/en-us/library/ms998320.aspx
<quote>
In some scenarios, using a custom domain service account is a better
approach than using the Network Service account. You should use a custom
domain service account if:
You want to isolate multiple applications on a single server from one
another.
You need different access controls for each application on local and
remote
resources. For example, other applications cannot access your
application's
databases if access is restricted to your application's account.
You want to use Windows auditing to track the activity of each application
separately.
You want to prevent any accidental or deliberate changes to the access
controls or permissions associated with the general purpose Network
Service
account from affecting your application.
</quote>
In this case, you will need to create a separate Application Pool in IIS
6.0 and configure it to use a custom domain service account; then
configure
your web application to run in this Application Pool.
Pleaset let me know if you have anything unclear. Thanks.
Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Walter Wang [MSFT]" said:Hi AG,
I've done some test locally and cannot reproduce the issue on my side. I
tried both a domain user account and a local user account (on the report
server). To make sure we're using the similar configuration and code,
here's my relevant code and configuration:
1) ServerA: installed SQL Server 2005 with Reporting Service; all are
configured correctly to make sure visiting http://ServerA/ReportServer/
success
2) WorkstationB: developing system, Vista.
3) ServerA and WorkstationB are in the same domain.
4) Setup a local user account on ServerA and give this account "Browse"
permission on the server.
5) Used following code to pass the user account:
public class MyCredentials : IReportServerCredentials
{
private string m_user, m_pwd, m_domain;
public MyCredentials(string user, string pwd, string domain)
{
m_user = user;
m_pwd = pwd;
m_domain = domain;
}
#region IReportServerCredentials Members
public bool GetFormsCredentials(out System.Net.Cookie authCookie,
out string userName, out string password, out string authority)
{
authCookie = null;
userName = password = authority = null;
return false;
}
public System.Security.Principal.WindowsIdentity ImpersonationUser
{
get { return null; }
}
public System.Net.ICredentials NetworkCredentials
{
get
{
return new NetworkCredential(m_user, m_pwd, m_domain);
}
}
#endregion
}
6) Published the website to ServerA and verified it works correctly.
7) Repeat step 4) but with a domain user account.
-----------
Now would you please help me check following points so that we could
further troubleshoot this issue on your side:
* Check the event log, "Security" part, see the relevant "Failure Audit"
and post some of the records here.
* On the server or your workstation, right-click on IE shortcut and select
"Run As", and use the account that you're passing to the report server to
run IE, then visit http://yourserver/ReportServer to see if it works
* Check kb http://support.microsoft.com/kb/907273, especially this kb:
http://support.microsoft.com/kb/896861 to see if the registry fix (to
disable loopback check) helps or not. In my case, I don't need to do this
fix but yours scenario may vary.
* Check your IIS log on the server to see if there's any interesting logs
when the 401 error occurs.
By the way, I'm using the same web site on IIS server as the my asp.net
web
application and the report server's web service, but running in two
different Application Pool, both application pools are using NETWORK
SERVICE account.
Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Walter Wang [MSFT]" said:Hi AG,
I've done some test locally and cannot reproduce the issue on my side. I
tried both a domain user account and a local user account (on the report
server). To make sure we're using the similar configuration and code,
here's my relevant code and configuration:
1) ServerA: installed SQL Server 2005 with Reporting Service; all are
configured correctly to make sure visiting http://ServerA/ReportServer/
success
2) WorkstationB: developing system, Vista.
3) ServerA and WorkstationB are in the same domain.
4) Setup a local user account on ServerA and give this account "Browse"
permission on the server.
5) Used following code to pass the user account:
public class MyCredentials : IReportServerCredentials
{
private string m_user, m_pwd, m_domain;
public MyCredentials(string user, string pwd, string domain)
{
m_user = user;
m_pwd = pwd;
m_domain = domain;
}
#region IReportServerCredentials Members
public bool GetFormsCredentials(out System.Net.Cookie authCookie,
out string userName, out string password, out string authority)
{
authCookie = null;
userName = password = authority = null;
return false;
}
public System.Security.Principal.WindowsIdentity ImpersonationUser
{
get { return null; }
}
public System.Net.ICredentials NetworkCredentials
{
get
{
return new NetworkCredential(m_user, m_pwd, m_domain);
}
}
#endregion
}
6) Published the website to ServerA and verified it works correctly.
7) Repeat step 4) but with a domain user account.
-----------
Now would you please help me check following points so that we could
further troubleshoot this issue on your side:
* Check the event log, "Security" part, see the relevant "Failure Audit"
and post some of the records here.
* On the server or your workstation, right-click on IE shortcut and select
"Run As", and use the account that you're passing to the report server to
run IE, then visit http://yourserver/ReportServer to see if it works
* Check kb http://support.microsoft.com/kb/907273, especially this kb:
http://support.microsoft.com/kb/896861 to see if the registry fix (to
disable loopback check) helps or not. In my case, I don't need to do this
fix but yours scenario may vary.
* Check your IIS log on the server to see if there's any interesting logs
when the 401 error occurs.
By the way, I'm using the same web site on IIS server as the my asp.net
web
application and the report server's web service, but running in two
different Application Pool, both application pools are using NETWORK
SERVICE account.
Regards,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.