SSRS Subscription TGGAU Rights: AuthzInitializeContextFromSid Exceptions

When you configure SSRS using a domain account and allow users to setup subscriptions sometimes SSRS failed on running these SQL Agent jobs by saying "Failure writing file Test SSRS : The report server has encountered a configuration error. See the report server log files for more information." in the subscription console itself. However when you check the Reporting Services log you will notice that the error has very little to do with writing the actual report than it has has with actually creating it.

 This a pretty misleading error and one can spend hours on a tangent. Checking the logfile will show the real error which is as follows:

ReportingServicesService!library!d!08/27/2008-12:39:42:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The report server has encountered a configuration error. See the report server log files for more information., AuthzInitializeContextFromSid: Win32 error: 5; possible reason - service account doesn't have rights to check domain user SIDs.;

Info: Microsoft.ReportingServices.Diagnostics.Utilities.ServerConfigurationErrorException: The report server has encountered a configuration error. See the report server log files for more information.

This is happens because SSRS needs to verify the subscription owner's access to the report prior to generating and sending it. This error occurrs when you choose Windows File Share or Send e-Mail option. In order for SSRS to check account validity it has to read the token-groups-global-and-universal (TGGAU) attribute for the subscription owner; by default most domain accounts do not have this right except for pre-Windows 2000 domains.

This can be resolved by by adding the service account to the Windows Authorization Access (WAA) group in Server 2003 or Server 2008. The WAA group is granted access to TGGAU by default on server 2003 and that should at least get rid of this exception.