Using Forms Authentication with the Report Viewer control and SQL Server Reporting Services 2005

I’ve been playing around with using different forms of authentication / impersonation with the Report Viewer controls, and I thought I’d post the fruits of my efforts. Here we go:

Using Forms Authentication with the Winform Report Viewer control is easy — Just pass in the creds and you’re all done:

reportViewer1.ServerReport.ReportServerCredentials.SetFormsCredentials(null, “userName”, “password”, “domainName”);

Doing the same thing with the Webform Report Viewer control is kind of a pain in the tail. You actually have to implement an interface called IReportServerCredentials and write/borrow another subclass that handles all the cookie related stuff when dealing with Forms Auth.

I took most of the following code from the following help topic, btw:
Anyway, first create the code for your Forms Auth Login page:

         MyReportingService svc = new MyReportingService();
         svc.Url = “
            svc.LogonUser(“myUserName”, “MyPassword”, null);
            Cookie myAuthCookie = svc.AuthCookie;
            if (myAuthCookie == null)
               Message.Text = “Logon failed”;
               HttpCookie cookie = new HttpCookie(myAuthCookie.Name, myAuthCookie.Value);
               string returnUrl = Request.QueryString[“ReturnUrl”];
               if (returnUrl == null || !returnUrl.StartsWith(“/”))
                  Message.Text = “Return url is missing or invalid!”;
         catch (Exception ex)
            Message.Text = “Logon failed: ” + ex.Message;


The code above calls LogonUser() against the SSRS web service so that we can get the Forms Auth cookie back from SSRS itself. Then, we stick the cookie into Response.Cookies, and forward the user to a page which has a ReportViewer control on it (in this case, http://myServer/appFolder/default.aspx)

OK, so now we’re sitting on the page which has the Report Viewer control itself.

In Page_Load, we first see if the previous cookie exists…if it doesn’t, we send you right back to the logon form:

        HttpCookie cookie = Request.Cookies[“sqlAuthCookie”];
        if (cookie == null)
            Response.Redirect(“/appFolder/logon.aspx?ReturnUrl=” + HttpUtility.UrlEncode(Request.RawUrl));


            ReportViewer1.ProcessingMode = ProcessingMode.Remote;
            ReportViewer1.ServerReport.ReportServerUrl = new Uri(“
            ReportViewer1.ServerReport.ReportPath = “/Report Project2/Report1”;

            Cookie authCookie = new Cookie(cookie.Name, cookie.Value);
            authCookie.Domain = “myServer”;
            ReportViewer1.ServerReport.ReportServerCredentials =
            new MyReportServerCredentials(authCookie);

If the cookie IS there, we set a few properties on the Report Viewer control, then set the ReportServerCredentials property of the control equal to our authCookie. Here is where the implementation of IReportServerCredentials and that other “cookie-handling class” come in.

First, here’s the implementation of IReportServerCredentials. It allows us to create a MyReportServerCredentials object:

class MyReportServerCredentials : IReportServerCredentials
    private Cookie m_authCookie;

    public MyReportServerCredentials(Cookie authCookie)
        m_authCookie = authCookie;

    public WindowsIdentity ImpersonationUser
            return null;  // Use default identity.

    public ICredentials NetworkCredentials
            return null;  // Not using NetworkCredentials to authenticate.

        public bool GetFormsCredentials(out Cookie authCookie,
            out string user, out string password, out string authority)
            authCookie = m_authCookie;
            user = password = authority = null;
            return true;  // Use forms credentials to authenticate.

As I mentioned earlier, we also have to subclass the myServer.ReportExecutionService class and override a few methods in order to do the cookie-related work:

public class MyReportingService : myServer.ReportExecutionService
    private Cookie m_authCookie;

    public Cookie AuthCookie
            return m_authCookie;

    protected override WebRequest GetWebRequest(Uri uri)
        HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uri);
        request.Credentials = base.Credentials;
        request.CookieContainer = new CookieContainer();
        if (m_authCookie != null)
        return request;

    protected override WebResponse GetWebResponse(WebRequest request)
        WebResponse response = base.GetWebResponse(request);
        string cookieName = response.Headers[“RSAuthenticationHeader”];
        if (cookieName != null)
            HttpWebResponse webResponse = (HttpWebResponse)response;
            m_authCookie = webResponse.Cookies[cookieName];
        return response;

…and that’s it. You may actually have better luck using the URL at the top of the page for your code copying and pasting as it contains HTML you can use for you logon page, too.

My biggest problem with this whole scenario was actually *finding* the help topic I needed…It would have nice if I could have searched on “forms authentication report viewer control” and been directed to the topic in question (grump, grump).

Comments (39)

  1. Dan says:

    I did almost that exact search and it sent me here. Thanks for doing the legwork.

  2. William says:

    Dear Russell,

    I’ve tried the Forms Authentication with the Winform Report Viewer control but failed to display the report


    reportViewer1.ServerReport.ReportServerCredentials.SetFormsCredentials(null, "userName", "password", "domainName");


    and always return me rsLogonFailed.

    However when I use the windows account "userName", "password", "domainName" in IE using http://XXX.XXX.XX.XX/reportServer, I can get the report.

    Any comment? Thanks a lot.



  3. Karin says:

    This is the closest I found to solving this issue. There is no equivalent in VB to the ‘out’ statement and I’m getting also sorts of grief with the interface.

    Do you know or can you direct me to how this code might work in VB?



  4. I think ByRef is the closest you can get to out in VB — it is not the exact same thing, but I think it carries out the same function…

  5. Karin says:

    Yeah the ByRef seemed like the best option however I ran into interface implementation issues after that. Thus I’m now doing this part in C#.

    One question regarding the line

    public class MyReportingService : myServer.ReportExecutionService

    What is the myServer a reference to? A web reference of the Reporting Service or some other namespace?



  6. Exactly…It’s the reference to the Execution endopoint for SSRS.

  7. Ian Nelson says:

    An eclectic bunch of (mostly techie) bits that don’t really deserve a post each:

    Here’s a really useful…

  8. Sam says:

    I have anonnymous access but keep on getting this error when using your code even though I’m logging in as admin. Anyone has any idea why?

    {"System.Web.Services.Protocols.SoapException: Logon failed. —> Microsoft.ReportingServices.Diagnostics.Utilities.LogonFailedException: Logon failed.n   at Microsoft.ReportingServices.WebServer.RSCustomAuthentication.LogonUser(String userName, String password, String authority)n   at Microsoft.ReportingServices.WebServer.ReportingService.LogonUser(String userName, String password, String authority)n   — End of inner exception stack trace —n   at Microsoft.ReportingServices.WebServer.ReportingService.LogonUser(String userName, String password, String authority)"}

  9. furmangg says:

    I’ve got this working fine for viewing reports. But the problem is that the keepalive isn’t working. (You know that the ReportViewer control does some stuff behind the scenes which keeps the session alive in the web app hosting ReportViewer in addition to the session on the ReportServer web app. That URL looks like: /Reserved.ReportViewerWebControl.axd?ReportSession=lps4st2it0wks545ahsyl4uv&ControlID=173f16f1-f1d3-43ee-9d9c-0c080aacccd3&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodReportViewerTouchSession0&CacheSeed=Mon%20Sep%2025%2012%3A28%3A24%202006)

    If you look in the web.config you see:

    <add path="Reserved.ReportViewerWebControl.axd" verb="*" type="Microsoft.Reporting.WebForms.HttpHandler, Microsoft.ReportViewer.WebForms, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" validate="false"/>

    When I hit that URL I get this error:

    System.Web.Services.Protocols.SoapException: Execution ‘lps4st2it0wks545ahsyl4uv’ cannot be found —> Microsoft.ReportingServices.Diagnostics.Utilities.ExecutionNotFoundException: Execution ‘lps4st2it0wks545ahsyl4uv’ cannot be found

     at Microsoft.ReportingServices.WebServer.SessionStarterAction.CreateExisting()

     at Microsoft.ReportingServices.WebServer.ReportExecutionService.GetExecutionInfo(ExecutionInfo& executionInfo)

     — End of inner exception stack trace —

     at Microsoft.ReportingServices.WebServer.ReportExecutionService.GetExecutionInfo(ExecutionInfo& executionInfo)

    So I’m guessing that the HttpHandler isn’t using my credentials. Any thoughts?

  10. Grant says:

    Great article and I’ve almost got it working, however the authcookie is null and the service is returning a SoapException at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse().  When I step through the code, the m_authCookie is always null.  

  11. Brad says:

    I used the code above, but I always receive the following error message:

    "The type or namespace name ‘ReportExecutionService’ could not be found (are you missing a using directive or an assembly reference?)"

    What using reference do I need? Or how can I solve this problem?


  12. Melanie says:

    Dear Russell,

    I also used this code…but the following error message appear: "The server committed a protocol violation. Section=ResponseStatusLine"

    I tried to use the the cod ein my web.config, but the error is still there:



    <httpWebRequest UnsafeHeaderParsing "true" />  



    Does anybody have the same problem or does anybody know how I can handle this?

  13. sudha says:

    Can you please send me the Details of how to over come this problem Im having the Same Problem

    here is my error

    System.Web.Services.Protocols.SoapException: System.Web.Services.Protocols.SoapException: Logon failed. —> Microsoft.ReportingServices.Diagnostics.Utilities.LogonFailedException: Logon failed. at Microsoft.ReportingServices.WebServer.RSCustomAuthentication.LogonUser(String userName, String password, String authority) at Microsoft.ReportingServices.WebServer.ReportingService.LogonUser(String userName, String password, String authority) — End of inner exception stack trace — at ……………..

    Please help me

  14. sudha says:


      this authentication is helpful if u render the report using report viewer control but what I want is to render the rdl file. is there any way to do that also?

    Thanks in advance


  15. Alberto Casu says:

    Stiamo in questi giorni migrando una applicazione di un nostro cliente ad una nuova infrastruttura HW

  16. Alberto Casu says:

    Stiamo in questi giorni migrando una applicazione di un nostro cliente ad una nuova infrastruttura HW

  17. drew says:

    I am also getting The type or namespace name ‘ReportingService’ could not be found (are you missing a using directive or an assembly reference?)

    Something is not installed perhaps a Reportservices SDK?

    msrspbs.20.zdux0012 (at)

  18. Horatiu Ripa says:

    I just have my brain bursted:

    Is there a way to have an indirection between an WinForm aplication and Reporting Services?

    I mean, on client side there’s a Winform Report Viewer embed into an application; client of a custom webservice. Is there a way to have Report Viewer to not refer directly the Reporting Services WebSites/Services, but through some kind of custom webservice indirection????

    Something like:

    [ReportViewer] Get Report -> [Custom WebService] grab the request, process something, forward it to -> [Reporting Services] produces report -> [Custom WebService] grab the response, process something, return it to -> [ReportViewer] render

  19. Horatui — No, there is no way to do this. If you want to approximate the same thing, you could go into local mode and populate your dataset via another webservice, then bind it to the control.

  20. Horatiu Ripa says:

    Actually, we quite did it…

    But this is a workaround to avoid Forms Authentication of WinForm.ReportViewer.

    The main problem is that we have a custom authentication for a larger app (windows clients/web serviced), which contains reports. We don’t want new pop-ups or whatever for further authentications, once someone is logged in the application it should be able to view the reports.

    Is there a way to obtain a RS Form Authentication authCookie from a Windows app and use it instead of passing usr/pwd?

  21. adolf garlic says:

    I am getting rsLogonfailed doing the same thing



  22. Satvinder Basra says:

    To pass the autenticated user from ASP.NET 2005 to the SQL Report Server 2005 without passing in the user name and password try….

    ReportViewer reportViewer = new ReportViewer();        

    ReportViewerCredentials rvc = new ReportViewerCredentials((WindowsIdentity)Page.User.Identity);

                   reportViewer.ServerReport.ReportServerCredentials = rvc;

    public class ReportViewerCredentials : IReportServerCredentials


       WindowsIdentity _userToken;

       public ReportViewerCredentials(WindowsIdentity userToken)


           _userToken = userToken;


       #region IReportServerCredentials Members

       public WindowsIdentity ImpersonationUser




               return _userToken;



       public ICredentials NetworkCredentials




               return null;  // Not using NetworkCredentials to authenticate.




       #region IReportServerCredentials Members

       public bool GetFormsCredentials(out Cookie authCookie, out string userName, out string password, out string authority)


           authCookie = null;

           userName = null;

           password = null;

           authority = null;

           return false;// throw new Exception("The method or operation is not implemented.");




  23. DS says:

    Hi Russell,

    When i try running the report in ReportViewer control dragged on one of my webpage, i get the following error:

    Client found response content type of ”, but expected ‘text/xml’. The request failed with an empty response.

    (Please note: SSRS works in Forms mode of authentication)

    Can you please suggest me the solution for this problem?

    Any help would be much appreciated.



  24. DS says:

    Ignore my previous query. I got resolved it. ReportServerUrl was not set correctly. I had ‘localhost’ mentioned in it instead of <machinename>



  25. Jay says:


    I’ve just recently been messing around with this stuff and can’t understand something and thought you can shed some light on it.

    I have a network structure where the report server resides on some internal network segment (not internet facing) and my ASP.NET app that needs to serves reports to the clients; the ASP is internet facing.

    When I tried to use the ReportViewer control in my app there were a few things that I noticed that didn’t make much sense to me.

    PROBLE:  When the authentication issued a ticket it needed to translate the Cookie object into HttpCookie object; in the sample code it translated that cookie. In so doing I copied all attributes including the Cookie.Domain object into the HttpCookie (in Login.aspx).

    When I did this, the redirect form (Default.aspx) did not contain the cookie in the Request.Cookies collection. When I didn’t set this in Login.aspx and set it in Default.aspx it seem to render the report fine. Why does this domain setting remove the cookie from the cookiejar?



  26. Dilip Shetty says:

    This is a really useful article. Found it after a long search.

  27. Krip says:

    EXCELLENT article.  Thanks!


  28. p says:

    Forms Authentication does not work with Report Viewer. I get Object moved to here error. Help

  29. Are you pointing to the real name of your server, or using http://localhost instead. Make sure not to use localhost.

  30. tima says:

    Hey there, I’ve done exactly what’s shown here.

    I have form authentication working fine using the microsoft sample but i’m trying to set it up so i can use it with report viewer.

    I have the asp page where the reportviewer is and i have a logon page aswell. But when i enter login credentials, it keeps giving this error:

    Invalid URI: The format of the URI could not be determined.

    its failing at this line:

    MyReportingService svc = new MyReportingService();

           svc.Url = "http://reportserv/reportserver/reportexecution2005.asmx&quot;;

    the link works fine but i don’t know what’s wrong?! Any help much appreciated 🙂

  31. John Foll says:

    I am trying to find out how to get GetUserId function in Report Models to work. It was broken by the Custom Security Extension, like everything else, and I need a fix for it.

  32. Programmer says:

    This worked well….thanks for posting!

  33. sri says:

    Actually we are trying to develop a app in C# for displaying the the ssrs reports. We want to use a tree view and pass the node url’s through the database. WE tried using Report viewer but we were unsuccessful. Can any one help us to find a right way to reach the goal.

  34. Sundar says:

    Thank you very much for the post. It helped me a lot

  35. pregunton says:

    I use ReportService


    I use powershell script por deploy RDL files in SSRS 2008 server

    and I get error

    Message: Exception calling "DeleteItem" with "1" argument(s): "The request failed with HTTP status 401: Unauthorized."

    With the same credential, in IE is ok http://DEVRPS/ReportServer/ReportService2005.asmx?WSDL

    In Report Services 2008 by default it uses its own built-in server, not IIS. You'll need to check in the reporting services directory on your server (its in the usual MSSQL directory in Program Files) to see the configuration files and make changes (you can also make some through reporting services configuration manager). Microsoft does not recommend installing IIS on the reporting services server.

    SSRS 2008 doesn't use IIS

    troubleshoot IIS and 401 not useful then for me…/907273

    Any suggestions ?