Reporting Services installation/configuration does not set the NTAuthenticationProviders
I wanted to bring forward an issue(probably not the correct word) with RS 2005.
We typically do the following types of TFS installations, dual server & single server.
A typical dual server environment has the following setup: [All SQL Server versions are 2005 only]
Machine A(called as DT) will have SQL Engine & Analysis Services.
Machine B(called App Tier) will have RS, SharePoint & TFS.
A single server setup will have SQL, RS, SSAS, SharePoint & TFS running on the same box.
The point here is that TFS + RS + SharePoint will be on the same box as part of a typical TFS deployments & SQL & SSAS can be on same or diff box.
During TFS installations, RS is installed on the TFS box beforehand(as a pre-req) & SharePoint is installed(typically) as part of TFS installation. SharePoint extends the default web site & sets the “NtAutheticationProviders” to NTLM. After a successful installation of TFS the users create Team Projects. For each team project new reports are uploaded to the report server & a new site collection is created in SharePoint. Clients(machines which have Visual Studio Team Explorer installed) are able to browse reports & SharePoint project portals along with TFS components with no issues. The users can also browse reports directly in IE on their machines as well.
Now the real thing, with TFS 2008 we support multi-tiered deployments for TFS. One such deployment could involve machines as follows:
#1 Machine A hosts SQL & Analysis Services
#2 Machine B hosts an existing(not installed and configured during TFS installation) SharePoint farm.
#3 Machine C hosts Reports & TFS.
In this kind of a setup when we install TFS on machine# 3, SharePoint is not installed on TFS box(Machine #3). RS 2005 is installed on machine# 3 as pre-req before installing TFS but it is not configured. When a TFS admin will install TFS on machine #3, TFS installation will configure RS as part of its installation & will create Reports & ReportServer virtual directories under the default web site. Also TFS installation will set the NTAuthenticationProviders for the TFS web site explicitly to NTLM. It does not however configure/set the NtAuthenticationProviders to NTLM for the default web site, which is hosting the reports virtual directories.
As a result the NtAuthenticationProviders for the default web site will default to “Negotiate, NTLM”, which is the default for IIS for any web site for which the NtAuthenticationProviders is not set explicitly.
So the behavior that we get because of this is, on machine# 3, the TFS Application Tier box, Reports work in Team Explorer, IE, etc. However when you try to browse reports from a client box, through IE or VS, you will get a prompt for user credentials three times & then reports will not show up (it fails giving 401.1 error if you browsed reports in IE). Your Event Viewer->System Logs will show a Kerberos related error on the client box.
To resolve this issue either setup Reports to work with Kerberos Authentication. To do this follow this link https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/df979570-81f6-4586-83c6-676bb005b13e.mspx?mfr=true mentioned in https://msdn.microsoft.com/en-us/library/bb283249(SQL.90).aspx.
Or if you want NTLM as the preferred authentication provider, then use the following command on the AT box(kb215383):
1. Click Start , click Run , type cmd , and then press ENTER.
2. Locate the directory that contains the Adsutil.vbs file. By default, this directory is C:\Inetpub\Adminscripts.
3. Use the following command to enable the Negotiate process:
cscript adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders "NTLM"
In this command, WebSite is a placeholder for the Web site ID number. The Web site ID number of the default Web site is typically 1.