Service Account Configuration for Reporting Service
Found a good MSDN article about configuring service accounts for SQL 2005 Reporting Service, see below. One thing want to highlight is that for production, it is recommended to use domain accounts. Although the passord expiration needs to be managed, it is best practice for many organizations.
The
report server Windows service account is first specified during Setup when you
specify options in the Service Account
page. Although specifying the service account during Setup is required, you can
choose a different account after Setup is finished. For more information about
the permissions that each service requires, see Setting Up
Windows Service Accounts.
The
report server Web service account can be specified during Setup if you are
installing the default configuration. In the default configuration, the Web
service account always runs as the default ASP.NET account on Windows XP or
Windows 2000 server, or as Network Service on Windows Server 2003. If ASP.NET
is configured to use a different account, the report server Web service account
must be specified manually.
To
set up the service accounts manually, use the Reporting Services Configuration
tool. The tool includes two pages for specifying the accounts: the Web Service
Identity page and the Windows Service Identity page. You can specify the
service accounts in any order. For more information, see Changing Service
Accounts and Passwords.
When
configuring the accounts, you can use any of the following account types:
Account |
Explanation |
Network Service |
This is a built-in account that is well-suited for running the report server Web service on Microsoft Windows Server 2003 and Windows XP Service Pack 2 (Network Service is not available on other Windows operating systems). Choose Network Service if you want to avoid any down-time that might occur as a result of password expiration policies. Avoid Network Service if you do not want to run the report server under accounts that might also be used by other applications. |
Domain accounts |
You can choose a Windows domain account if the account has minimal permissions. Windows domain accounts are the default for SQL Server services. Choose domain accounts if you want to precisely configure the permissions on the service. Avoid domain accounts if do not want to change the password or account due to expiration security policies used in your organization. |
Local Service |
This is a built-in account that is similar to an authenticated user account. Services that run as the Local Service account access network resources as a null session with no credentials. This account is not appropriate for most intranet deployment scenarios. If domain accounts are used to create subscriptions, you cannot use Local Service for the Report Server Windows service account. If you use Local Service, the report server database must be on the same computer if the service account is used to connect to the report server database. If you want to use remote SQL Server instance, you must use SQL Server authentication and a database user login for the report server database connection. Local Service is the default service account for a report server you install through Microsoft SQL Server 2005 Express Edition with Advanced Services. That edition has built-in restrictions that prevent access to remote servers. For more information, see Reporting Services in SQL Server 2005 Express Edition with Advanced Services. |
Local System |
Avoid this account for report server installations. Local System is a highly privileged account that is not necessary for running a report server. Choose a domain account, Network Service, or Local Service instead. |