Service Account Configuration for Reporting Service


 

Found a good MSDN article about configuring service accounts for SQL 2005 Reporting Service, see below.  One thing want to highlight is that for production, it is recommended to use domain accounts. Although the passord expiration needs to be managed, it is best practice for many organizations.

 

Configuring
Service Accounts

 

The
report server Windows service account is first specified during Setup when you
specify options in the Service Account
page. Although specifying the service account during Setup is required, you can
choose a different account after Setup is finished. For more information about
the permissions that each service requires, see Setting Up
Windows Service Accounts
.

 

The
report server Web service account can be specified during Setup if you are
installing the default configuration. In the default configuration, the Web
service account always runs as the default ASP.NET account on Windows XP or
Windows 2000 server, or as Network Service on Windows Server 2003. If ASP.NET
is configured to use a different account, the report server Web service account
must be specified manually.

 

To
set up the service accounts manually, use the Reporting Services Configuration
tool. The tool includes two pages for specifying the accounts: the Web Service
Identity page and the Windows Service Identity page. You can specify the
service accounts in any order. For more information, see Changing Service
Accounts and Passwords
.

 

When
configuring the accounts, you can use any of the following account types:

 

Account

Explanation

Network
Service

This
is a built-in account that is well-suited for running the report server Web
service on Microsoft Windows Server 2003 and Windows XP Service Pack 2 (Network
Service
is not available on other Windows operating systems).

Choose
Network Service if you want to avoid any down-time that might occur as
a result of password expiration policies. Avoid Network Service if you
do not want to run the report server under accounts that might also be used
by other applications.

Domain
accounts

You
can choose a Windows domain account if the account has minimal permissions.
Windows domain accounts are the default for SQL Server services.

Choose
domain accounts if you want to precisely configure the permissions on the
service. Avoid domain accounts if do not want to change the password or
account due to expiration security policies used in your organization.

Local
Service

This
is a built-in account that is similar to an authenticated user account.
Services that run as the Local Service account access network
resources as a null session with no credentials.

This
account is not appropriate for most intranet deployment scenarios.

If
domain accounts are used to create subscriptions, you cannot use Local
Service for the Report Server Windows service account.

If
you use Local Service, the report server database must be on the same
computer if the service account is used to connect to the report server
database. If you want to use remote SQL Server instance, you must use SQL
Server authentication and a database user login for the report server
database connection.

Local
Service
is the default service account for a report server you install
through Microsoft SQL Server 2005 Express Edition with Advanced Services.
That edition has built-in restrictions that prevent access to remote servers.
For more information, see Reporting
Services in SQL Server 2005 Express Edition with Advanced Services
.

Local
System

Avoid
this account for report server installations. Local System is a highly
privileged account that is not necessary for running a report server. Choose
a domain account, Network Service, or Local Service instead.

 


Skip to main content