Depending on your Internet Explorer configuration, you might experience authentication issues when trying to connect to an MSSQL Server v2005 Reporting Services web site.
You do not have permission to view this directory or page using the credentials that you supplied.
There are few technical choices one has to solve this problem; and they involve:
- Using setspn and getting Kerberos to work
- You likely have to work with your Active Directory team has your Service Account has to be registered\tied into your box for HTTP traffic
- Changing your IIS\Reporting Services HTTP.sys to use a local system account such as Network Services
- Upgrading MS SQL Server Reporting Services from v2005 to v2008 and above and customizing your web.config to use NTLM before attempting Kerberos/Negotiate
We will take the least “friction-less” path and just change our web site or virtual directories to use NTLM rather than the default choice of Kerberos.
NTAuthenticationProviders – Get
set "_baseScriptFolder=c:\inetpub\adminscripts" set "_identifier=1" cscript %_baseScriptFolder%\adsutil.vbs get w3svc/%_identifier%/root/reports/NTAuthenticationProviders
Our NTAuthenticationProviders setting reads Negotiate,NTLM.
Negotiate means Kerberos is first attempted and then NTLM.
For more reasons than I can get into at this time, Kerberos, will not work for us. And, so let us restrict our option to NTLM.
NTAuthenticationProviders – Set
set "_baseScriptFolder=c:\inetpub\adminscripts" set "_identifier=1" cscript %_baseScriptFolder%\adsutil.vbs set w3svc/%_identifier%/root/reports/NTAuthenticationProviders "NTLM" iisreset
Microsoft – IE
Once Internet Explorer starts accepting your username\password combination, please consider the following other options to automate login.
Here are two of other options:
- Automatic logon only in Intranet Zone
- Automatic logon with current user name and password
If the site is part of your Intranet, then consider explicitly adding that site to your “Intranet Zone“.
And, ensuring that zone, Intranet Zone, setting is configured as
Security Settings \ User Authentication \ Logon \ Automatic logon only in Intranet zone
If for some other considerations the targeted URL is not part of your Internet Zone, then consider adding the URL to its most applicable zone, and ensure that the zone is configured as “Automatic logon with current user name and password“.
Out of the remaining choices, I will suggest “Trusted Sites“.
Security Settings \ User Authentication \ Logon \ Automatic logon with current name and password
Please read more on this in the referenced “Automatic Login” section.
Need to know
BTW, this problem does not affect Mozilla Firefox browsers as it uses NTLM and not Kerberos, in the first place.
IIS – Windows Integrated Authentication – Negotiate or NTLM Protocols
- You cannot configure the Negotiate or NTLM protocols for Windows Integrated Authentication in the IIS Manager for Internet Information Services (IIS) 7.0
- SSRS 2005 and Kerberos settings on Windows Server 2008
- Home > Configuration Reference> system.webServer > security> authentication > windowsAuthentication > providers > Windows Authentication Providers <providers>
- Setting your Browser Options for Automatic Login