I’ve worked with several customers who use a custom authentication scheme in their enterprise, and therefore couldn’t secure Reporting Services using Windows Authentication. Some of these folk also didn’t want to write their own custom security extension or use/modify Microsoft’s forms authentication sample found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsql2k/html/ufairs.asp
Instead, they wanted a simple way to allow their users to access reports anonymously without opening SSRS up to every hacker-wannabe on earth. The problem is obvious: if you turn anonymous access ON for the /Reports and /ReportServer vdirs, everyone comes in with the exact same level of permissions. Either everyone is a Browser, or a Content Manager, for example.
I’ve been playing around with this scenario for a while, and never came up with an even somewhat acceptable workaround. Well, Larry Clark (a member of our national Tech Team) came up with a pretty good solution. Thanks Larry!
– The reports you access anonymously must use stored credentials
– The user must navigate directly to the report with an URL Access string versus using Report Manager
– We tell people not to mess around with the properties of the Reporting Services vdirs for good reason. If you change them, or “workaround” them in any fashion you can open yourself up to all sorts of nasty stuff. It’s questionable whether I’d use this technique in a production Internet-facing scenario…I probably wouldn’t.
– This technique has NOT been tested in the real world: I’d advise you not to be the first, either.
That being said, here’s how it’s done:
1. Use the IIS Manager Snap-in to save the configuration of the /ReportServer vdir to a file (right-click /ReportServer | All Tasks | Save Configuration to a File).
2. Create a new vdir (I named mine /ReportServerAnon) based on the saved file.
3. Using the snap-in, enable anonymous access on the new vdir and de-select Integrated Windows Authentication (you’re doing this work against /ReportServerAnon, right? NOT /ReportServer!).
4. Back in Report Manager, grant I_USER Browser permissions on the particular report(s) you want an anonymous user be able to run
5. Provide your users with a direct URL to the report(s) in question. The URL will utilize the /ReportServerAnon vdir versus the standard /ReportServer vdir. For example, while testing this, I used: