Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Fletch
Starting Member
29 Posts |
 Posted - 2007-03-29 : 09:47:24
|
| I've been maintaining a server for a while now, running Windows2003, IIS6, SQLServer 2000, Reporting services and a .NET web site.The web site takes the users credentials and then provides a choice of RS reports for them. Security used to be fine. Following weeks of viruses, trojans etc. the box is stable. However, if a user goes directly to a URL (e.g. www...com/report..user=2...) they are presented with the report.I need to understand more about how the security is handled, however I need to get security working FAST. The fastest way surely, is to get things back as they were.I've read around about the different techniques but I haven't sorted out where we were. The most likely scenario (I think) is that we've lost an ISAPI filter.Any advice hugely appreciated. |
|
|
jhermiz
3564 Posts |
Posted - 2007-03-29 : 09:52:32
|
| ?Not sure what you are after, RS uses windows authentication.Programmers HowTo's -- [url]http://jhermiz.googlepages.com[/url] |
 |
|
|
Fletch
Starting Member
29 Posts |
Posted - 2007-03-29 : 10:00:36
|
| When a user enters a correct URL he is taken directly to the requested report without being prompted for a username or password.How would this normally be prevented? According to the web.config we are using Impersonation. |
|
|
|
jhermiz
3564 Posts |
Posted - 2007-03-29 : 12:33:48
|
| Check your site settings. Have you enabled anon access? Which web.config file do you speak of?If you installed RS by default it uses windows authentication. It doesn't ask for a user name or password because it passes those credentials from the OS.Programmers HowTo's -- [url]http://jhermiz.googlepages.com[/url] |
|
|
|
Fletch
Starting Member
29 Posts |
Posted - 2007-03-29 : 14:38:10
|
| Anon access is enabled (in IIS). the web.config is in the inetpub directory and is provided by the .NET applicationI rooted around the \MSSQL\ReportingServices directory and found another config file, something rsserver.config and it too told me impersonate was set to true.I'm guessing that the .NET app somehow handles the security but I'm wondering how IIS knows to ask .NET whether they're logged on or not. Perhaps this is a security 'extension'? |
|
|
|
jhermiz
3564 Posts |
Posted - 2007-03-29 : 14:53:42
|
| Thats the problem when you say "I checked the web config file". RS is huge, there are multiple web.configs to handle specific pages. You can have 2 types of authentication here...we are talking windows authentication or forms. By default RS installs as a windows authenticated system, you can make this use forms authentication (where you yourself can validate your users via your own lookup tables). There is an extensive article on doing this on microsoft's site (search).So the reason why your end users are not prompted is because of windows authentication. Its simply using the .net security class to recognize whose logging into what. anon access hsould be disabled though, im not understanding why it would be enabled on yours though...are you creating internal or external reports (in house users, external users?)Programmers HowTo's -- [url]http://jhermiz.googlepages.com[/url] |
|
|
|
Fletch
Starting Member
29 Posts |
Posted - 2007-03-29 : 16:06:19
|
| I don't believe forms authentication was being used.The reports are available to external users (registered users). One of the parameters for each report is the user_number.It was designed (and was working) such that when user 1 logged on, he could select reports for him. The parameter was being passed silently. By right clicking etc. you can of course reveal the full url. It used to be the case that using the same url, but changing the user_number would prompt for credentials. Currently however it just shows the reports for user 2!! |
|
|
|
|
|
|
|
|
What security am I (/was I) using !?