Sharing Forms Authentication cookies in SQL Reporting Services


It’s not uncommon for someone to want to integrate their pre-existing ASP.net app (which utilizes Forms Authentication) with Reporting Services. When doing so, we don’t want to force users to logon twice, however – The goal is to have the Forms auth cookie generated by your app work against SSRS, too.


 


Here’s a quick walkthrough you can use to get handy with this scenario…It will probably take you about 60 minutes to get it all set up the first time round…


 



  1. Create a simple web app which utilizes forms auth. Use the following KB which gives you lots of easy cut & paste code (I’ll call this app FormsApp from now on):

 


http://support.microsoft.com/kb/301240


 



  1. Setup the SSRS Forms Authentication Sample, using this link (we’ll call this sucker SSRSSamp):

 


http://msdn.microsoft.com/en-us/library/aa902691.aspx


 


WARNING! Both of these samples create a “Users” table on SQL Server, and the schema of each table is different…Make sure you create these tables in different databases or rename “Users” to “Users2” in one the scripts that you run.


 



  1. Make sure both applications work independently of each other, and that you’ve added a user / password to SSRSSamp that has permissions on Reporting Services per the loooong instructions in step 2.
  2. Take the username / password you added in step 3, and manually add it to the FormsApp.Users table with an INSERT statement (you’ve already added User1, User2, and User3…go ahead and add “your” user too):

 


INSERT INTO FormsApp.Users values(‘YourUser’,’YourPW’,’Admin’)


 



  1. Modify the FormsApp by adding a command button to the default.aspx form. Add code to the button’s click event so that it does a response.redirect to your report server ala:

Response.Redirect(http://MyServer/Reports);



  1. Now, we have to make some changes to the web.config files of each application to get this all working. Read about what we’re about to do here:

http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx


 



  1. Open the web.config for the FormsApp, and add the following stuff inside the <system.web> element  (you’ll see I’ve pretty much copied this directly from the article in step 6:)

 


WARNING! Backup web.config whenever we modify it, OK?


 


<machineKey validationKey= “C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE”


decryptionKey= “8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F” validation=”SHA1″/>


 


The “most important” parts (for this exercise, anyway) will end up looking like this:


 


<authentication mode=”Forms”>


   <forms name=”.ASPXFORMSDEMO” loginUrl=”logon.aspx”


   protection=”All” path=”/” timeout=”60″ />


</authentication>


 


<authorization>


   <deny users =”?” />


   <allow users = “*” />


</authorization>


 


<machineKey validationKey= “C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE”


decryptionKey= “8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F” validation=”SHA1″/>


 



  1. Now, it’s time to modify web.config found in the C:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer folder…crack it open (and back it up)!
  2. Here’s what the “important” bits should look like. Note that everything in the <authentication> and <machineKey> elements exactly match what we have in the FormsApp web.config file…we’re following the instructions in the MDSN article from step 6. Yay MSDN!:

 


<authentication mode=”Forms”>


   <forms loginUrl=”logon.aspx” name=”.ASPXFORMSDEMO”


   protection=”All” timeout=”60″ path=”/”></forms>


</authentication>


 


 


<authorization>


   <allow users = “*” />


</authorization>


 


<machineKey validationKey= “C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE”


decryptionKey= “8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F” validation=”SHA1″/>


 


Save your changes, and you’re done. I would go ahead and test each app on its own to make sure they still work, then open up FormsApp, logon, and click your command button – You should land right inside Report Manager.


 

Comments (20)

  1. Kirti says:

    The link to the simple web app (FormsApp) is not working. Could you please correct that? Thanks.

  2. russch says:

    Hey Kirti — I just tried the link again (http://support.microsoft.com/default.aspx?scid=kb;en-us;301240#XSLTH3124121122120121120120) and it is working fine for me. However, I could also find the sample by searching on the keywords "Implement Forms-Based Authentication

    " on support.microsoft.com. Hope this helps!

  3. Kirti says:

    Thanks! This link works great! I think the original link would also have worked had I just copied and pasted it in the IE. Lazy me!

  4. Kirti says:

    Russell,

    OK..Both the apps are working fine independently. However, after authenticating in FormsApp, when I click the command button to launch Report Manager, I am again getting prompted by the Report Manager for login. I made sure that the authentication and machinekey section of the two web.configs are identical. Any suggestions on what to look for? Thanks.

    Kirti

  5. Kirti says:

    I know now what the problem was…When I launch the FormsApp in debug mode (F5), it used localhost for the website address and this does not work well with the Reporting Services authentication. Once I replace localhost with the server name in the browser, it all works fine. So, please disregard my previous message. Thanks for a great post!

  6. russch says:

    Yes..the first time I worked with this sample,I wasted 2 hours of my life figuring out the same thing..I should have remembered to post that..must have repressed it!

  7. Kirti says:

    How do I make scheduled execution snapshot work with forms authentication? How should I handle unattended account access in this scenario? Thanks.

  8. Kirti says:

    I noticed that the Report Server service was not running. Once I started the service, the unattended execution snapshot works fine. Thanks.

  9. abhishek says:

    Thanks for a great post.

    In mine case application server and report server are on difrent machines (having diffrent IPs). can cookies be shared between them. Any help is greatly appreciated.

    jainabhishek8@rediffmail.com

  10. russch says:

    I think so… The topic http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconformsauthenticationacrossapplications.asp says "ASP.NET supports forms authentication in a distributed environment, either across applications on a single server or in a Web farm", so to me, that means you’re in good shape.

  11. ghoffman says:

    Is there a way to share cookies across servers with different  IPs?   I can get it working on my local machine, where both the SQL RS and application is on the same machine.  However, when i try it on production, where SQLRS and webserver are on different machines, i get a The permissions granted to user ” are insufficient for performing this operation error.  Any ideas?

  12. russch says:

    No clue, sorry. I this sounds like less of an SSRS issue, and more of an ASP.NET question…I’d bet you can repro the problem by using Forms Auth (where you are authenticated on 1 machine) and then hit an app on a different box which should allow you to share the same cookie…if you can…hit the MSDN ASP.NET discussion groups.

  13. Matt Roberts says:

    Great post, along with all your other SSRS musings – they’re an invaluable source for me 🙂

    I am having problems getting this to work with SSRS 2005 and ASP.NET 2005 – even when the RS and the web app are on the same machine, I still get asked to login to RM. It does not seem to want to share that cookie?! I made sure I browse to my machine, and not localhost, is there anything else I should do? Its re-directing me to the "UILogin.aspx" page, which is what the ReportManager controls ( not the report server, which is set to Login.aspx) so should I start messing around with the web.app in there too?

    Are there issues with 2005 versions? I was looking at other posts in the usenet groups that suggest firing off to the "LogonUser" SOAP method from the web app and doing it that way – I could get that working if both the RM and web app are local, but not for seperate machines.

    Anyway, any advice welcome!

  14. Matt Roberts says:

    Quick Update:

    I recreated my "Forms Auth App" from scratch (I had a lot of other stuff going on in the one I was using)  and managed to get it to work, but only when the RM and the FormsApp are in the same physical server. When the RM is on another machine it refuses to work. It seems that the cookie sharing will not work over different machines, even though the MSDN documentation suggests that it will…. hmmmm.

  15. bernie says:

    The link to the SSRS Forms Authentication Sample is not working. Could you please correct this. thanks.

  16. bzhang says:

    oh, never mind, Just find it:

    http://msdn2.microsoft.com/en-us/library/aa902691(SQL.80).aspx

  17. Patrick says:

    Russell, thanks for the great post. It works just fine as a redirect, however, is there any way to get it to work in the web ReportViewer control? I get an error because the cookie is not passed using the control and a redirect to the login page is the response. Thank you, Patrick

  18. Patrick says:

    Russell, disregard my inquiry. For those of you implementing a web reportViewer control, you must set the viewer credentials using the IReportServerCredentials interface GetFormsCredentials method as found here http://www.devx.com/dotnet/Article/30610/0/page/4 (cut and paste URL).

  19. Paul Wellman says:

    None of the links on this page can be found.  Very frustating when I am trying to figure out how to do SSRS Froms Authentication.

    Paul Wellman

    pwellman@gmail.com

  20. russch says:

    Updated links (the post is almost 3 years old…)