问题
We currently have SSRS reports that consume WCF service data which needs to use the calling users credentials. On the service side, we use a basic binding to host the service:
<binding name="TheBasicHttpBinding" maxReceivedMessageSize="50000000" transferMode="Streamed">
<readerQuotas maxArrayLength="50000000"/>
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Windows"/>
</security>
</binding>
<service behaviorConfiguration="DefaultServiceBehavior" name="Web.TheService">
<endpoint binding="basicHttpBinding" bindingConfiguration="TheBasicHttpBinding" name="ServiceHttpBinding"
contract="Web.ITheService"/>
</service>
During report development we setup a Shared Data Source used by all of our reports. The data source is of type "XML" and points to the service endpoing .svc file. Within each of our datasets we make requests as follows:
<Query>
<Method Name="GetReferenceData" Namespace="http://localhost/2009/TheService">
<Parameters>
<Parameter Name="type"></Parameter>
</Parameters>
</Method>
<SoapAction>http://localhost/2009/TheService/ITheService/GetReferenceData</SoapAction>
</Query>
Our reports work on our development machines within VS2008 when calling our remotely hosted WCF service with the configurations and calls below.
Also, our reports work when we run them while logged into the SSRS reporting server and run them directly on the SSRS reporting server within IE.
However, if we access the SSRS report links remotely (not sitting at SSRS service machine) we receive errors as such:
An error has occurred during report processing. (rsProcessingAborted) The execution failed for the shared data set 'Clients'. (rsDataSetExecutionError) Query execution failed for dataset ''. (rsErrorExecutingCommand) Failed to execute web request for the specified URL. Unauthorized: The remote server returned an error: (401) Unauthorized. (rsXmlDataProviderError) The remote server returned an error: (401) Unauthorized. 401 - Unauthorized: Access is denied due to invalid credentials.
Server Error
401 - Unauthorized: Access is denied due to invalid credentials.
You do not have permission to view this directory or page using the credentials that you supplied.
--- End of inner exception stack trace --- at Microsoft.ReportingServices.DataExtensions.XmlDP.InMemoryCommand.ExecuteWebRequest(ICredentials credentials) at Microsoft.ReportingServices.DataExtensions.XmlDP.InMemoryCommand.Execute() at Microsoft.ReportingServices.DataExtensions.XmlDP.InMemoryCommand.<>c__DisplayClass1.b__0() at Microsoft.ReportingServices.DataExtensions.XmlDP.WebRequestHelper.ExecuteServerCallAsNtUser(ServerCall serverCall, WindowsIdentity ntUser) at Microsoft.ReportingServices.DataExtensions.XmlDP.InMemoryCommand.ExecuteReader(CommandBehavior behavior) at Microsoft.ReportingServices.OnDemandProcessing.RuntimeDataSet.RunEmbeddedQuery(Boolean& readerExtensionsSupported, Boolean& readerFieldProperties, List
1 queryParams, Object[] paramValues) --- End of inner exception stack trace --- at Microsoft.ReportingServices.OnDemandProcessing.RuntimeDataSet.RunEmbeddedQuery(Boolean& readerExtensionsSupported, Boolean& readerFieldProperties, List1 queryParams, Object[] paramValues) at Microsoft.ReportingServices.OnDemandProcessing.RuntimeDataSet.RunDataSetQueryAndProcessAsIRowConsumer(Boolean processAsIRowConsumer) at Microsoft.ReportingServices.OnDemandProcessing.RuntimeDataSet.Process() at Microsoft.ReportingServices.OnDemandProcessing.RuntimeDataSet.ProcessConcurrent(Object threadSet) --- End of inner exception stack trace --- at Microsoft.ReportingServices.ReportProcessing.ReportProcessing.ProcessSharedDataSet(DataSetContext dc, DataSetDefinition dataSetDefinition) at Microsoft.ReportingServices.Library.SharedDataExecutionInstance.CreateDataChunk(IChunkFactory targetChunkFactory, String dataChunkName) at Microsoft.ReportingServices.Library.SharedDataExecutionInstance.Execute(DataSetInfo dataSet, String targetChunkNameInReportSnapshot, ParameterInfoCollection dataSetParameterValues, ReportProcessingContext originalProcessingContext, Boolean originalRequestNeedsDataChunk, IRowConsumer originalRequest) at Microsoft.ReportingServices.Library.SharedDataSetExecution.Process(DataSetInfo sharedDataSet, String targetChunkNameInReportSnapshot, Boolean originalRequestNeedsDataChunk, IRowConsumer originalRequest, ParameterInfoCollection dataSetParameterValues, ReportProcessingContext originalProcessingContext) at Microsoft.ReportingServices.OnDemandProcessing.RuntimeDataSet.GetSharedDataSetChunkAndProcess(Boolean processAsIRowConsumer, DataSetInfo dataSetInfo, ParameterInfoCollection datasetParameterCollection) at Microsoft.ReportingServices.OnDemandProcessing.RuntimeDataSet.RunDataSetQueryAndProcessAsIRowConsumer(Boolean processAsIRowConsumer) at Microsoft.ReportingServices.OnDemandProcessing.RuntimeDataSet.Process() at Microsoft.ReportingServices.OnDemandProcessing.RuntimeDataSet.ProcessConcurrent(Object threadSet) --- End of inner exception stack trace ---;
Any ideas as to why our reports work within VS2008 calling our remote WCF service, and the reports work fine also when run directly on the SSRS server with IE, but when calling these same report URL's hosted on the SSRS machine we get this report processing error?
In order to be able to access the WCF service WSDL from the SSRS server, we had to add the machine urls of our WCF service to the Local intranet zones list in order that we don't get challenged for credentials. When we remove these entries, we don't have success even with the SSRS reports when running them directly on the SSRS machine itself. We're assuming the issue lies in the way the user credentials are passed to SSRS and the subsequent data source url connections are established.
Our datasource uses "Windows integrated security" and the account that we run within VS successfully is the same account that we run IE on the SSRS report server directly with success. Also this is the same account that we're getting the above exception when trying to access the SSRS report from IE on a remote machine.
Anybody run into something like this before or have any ideas? We've looked in the SSRS logs but not finding them helpful yet. Note that we need to run the reports under the actual end user credentials, as these credentials need to be passed to the WCF service where we show/filter data based on permissions.
When setting "Credentials stored securely in the report server" true and storing my own account (which I used for other successful tests), the remote link works for everyone. However this creates an issue because then all WCF/XML requests are used under the context of my credentials. We need all requests to be made using "Windows integrated security" under the context of the calling user. Another question this introduces, is why if I store my credentials in the report does it work for all remote users and myself, but when setting the datasource to "Windows integrated security" that it doesn't even work for me - the same credentials.
Update:
It seems this "double hop" issue may be what we're experiencing: Integrated Security on Reporting Services XML Datasource.
Some articles which I found which look to have same issue:
- http://social.msdn.microsoft.com/Forums/sqlserver/en-US/b8ba8546-76e8-46dc-a96e-bc61e847521f/kerberos-windows-integrated-security-doublehop-between-reportserveriis-and-iis
来源:https://stackoverflow.com/questions/18207398/ssrs-consuming-wcf-service-with-calling-user-credentials-issue