ptg
531
Reporting Services Add-In for SharePoint
31
Report Server DB. Report Server ensures that the copy of the reports in Report Server
DB is kept in sync with the master copy in the SharePoint Content DB via a catalog-
synchronization feature. Any metadata associated with the reports such as schedules,
subscriptions, and snapshots for report history or report execution is stored only in
the Report Server DB.
Figure 31.1 shows catalog synchronization as a feature in Report Server in SharePoint inte-
grated mode. This is a background process that is triggered automatically whenever a
report item is created, updated, or retrieved. It ensures that the copies kept in Report
Server DB are in sync with the SharePoint Content DB.
When report items are deleted from the SharePoint site, the Report Server performs peri-
odic verification and removes any copies from the Report Server database along with any
associated report snapshots, subscriptions, and other metadata for the report. At daily
intervals, the Report Server runs a cleanup process to verify that items stored in the Report
Server database are associated with a report in the SharePoint Content database. The
frequency of the cleanup process is controlled by the
DailyCleanupMinuteofDay
property
in the
RSReportServer.config
file.
Security Management
For authentication, both the Windows integrated and trusted account modes are
supported between SharePoint Server and Report Server. Figure 31.2 shows how the
authentication information flows between the SharePoint and Report Server.
In SharePoint integrated mode, SSRS uses a security extension to maintain report security
in MOSS or WSS. SharePoint security features can be used to access report items from
SharePoint sites and libraries. Once you integrate Report Server and SharePoint, the exist-

ing site and list permissions for your users automatically give them permissions for Report
Server operations. For example, the SharePoint View Item permission means the user can
also view reports, whereas the Add Item permission translates to rights for creating new
Windows
(Kerberos)User
WSS Web
Application with
Windows
Authentication
Report
Server
WSS Web
Application (non-
Kerberos or
Custom
Authentication)
Non-
Windows
(non-
Kerberos)
User
Windows
User
Trusted
Account and
SharePoint
User token
FIGURE 31.2
Security authentication modes.
From the Library of STEPHEN EISEMAN

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
532
CHAPTER 31 SSRS 2008 SharePoint Integration Architecture
reports, data sources, and report models on the SharePoint site. A list of SharePoint
permissions and how they map to Report Server operations is provided in Chapter 33.
Deployment Architecture
Prerequisites for SSRS to integrate with SharePoint include the following:
. Install SSRS 2008 in SharePoint integrated mode, which is available in the following
editions: Developer, Evaluation, Standard, and Enterprise.
. Install the same type and version of SharePoint WFE on the Report Server machine
as is on the SharePoint Server that will be used for integration. Integration is
supported for WSS 3.0 and MOSS 2007 Standard or Enterprise editions. If you inte-
grate with WSS, install the WSS WFE on the Report Server machine; for MOSS,
install the MOSS WFE.
. Install the RS add-in on each SharePoint WFE that will be used to view and man-
age reports.
To plan your system architecture, here are the variations of deployment topologies to
consider:
. Single machine: Figure 31.3 shows all SSRS and SharePoint components working
together on the same machine. Putting everything on a single computer may not be
practical for an enterprise production deployment, but it is attractive in a develop-
ment or testing environment to save costs (for example, hardware and software
licensing costs).
. Distributed servers: It is common to separate the application server and database
server on separate machines even for a single instance of SSRS or SharePoint Server.
RS
Add-in
Clients
Clients

Clients
IE
SharePoint
WFE
RS Server RSDB
Flat Files,
OLE DB,
ODBC
SQL, AS,
DB2, Oracle,
Teradata, etc.
MOSS or WSS
Report Server
Report Catalog
Reporting Data
Single Box
FIGURE 31.3
Single-machine deployment of SSRS and SharePoint.
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
533
Summary
31
For example, you may have all the databases for SharePoint and Report Server on
one machine, Report Server on another machine, and the SharePoint web applica-
tion on a third machine. As long as you install a SharePoint WFE on the Report
Server machine and the RS add-in on the SharePoint web application, the deploy-
ment topology is sound and provides better resource isolation between the servers.
. Scalable deployments: To support a large number of users or workloads, multiple

instances of the same server component can be deployed, such as multiple Report
Servers or multiple SharePoint sites (also called a SharePoint farm). Figure 31.4 shows
a series of computers being used for SSRS scale out and a series of computers being
used for a SharePoint farm. NLB in Figure 31.4 stands for network load balancer. The
entire SharePoint farm must be configured to use a virtual Report Server URL as a
single point of entry. Individual SharePoint sites in a farm cannot be configured
against different Report Servers. SSRS does not provide load-balancing features or the
ability to configure a virtual server URL out of the box. Therefore, a hardware or
software load-balancing solution must be used.
Summary
SSRS SharePoint integration is enabled via deep database and security integration between
Report Server and SharePoint via the Report Server SharePoint integrated mode. An RS add-
in is required to be installed on the SharePoint web application to view and manage
reports and to interact with SSRS. All user actions are initiated via the SharePoint UI, which
uses a proxy to communicate with Report Server and complete any actions on report items.
A variety of deployment topologies can be picked for integration between SharePoint and
SSRS, such as single machine, distributed servers, and scalable deployments.
Clients
Clients
Clients
NLB
Flat Files,
OLE DB,
ODBC
SQL, AS,
DB2, Oracle,
Teradata, etc.
NLB
RS Server
+ SharePoint WFE

RS Server
+ SharePoint WFE
RS Server
+ SharePoint WFE
RS
Add-in
SharePoint
WFE
RS
Add-in
SharePoint
WFE
RS
Add-in
SharePoint
WFE
SharePoint Farm
RS Scale Out Deployment
Report Catalog
Reporting Data
SharePoint and SSRS Scaled Out
FIGURE 31.4
Multiple-machine deployment in a scale-out farm.
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
This page intentionally left blank
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg

CHAPTER
32
Installation of Reporting
Services Integrated with
SharePoint
IN THIS CHAPTER
. Installing Reporting Services
. Installing SharePoint
. Configuring Report Server in
SharePoint Integrated Mode
. Installing Reporting Services
Add-In for SharePoint
. Configuring Report Server
Integration Via SharePoint
Central Administration
. Upgrading from SSRS2K5 SP2
. Scaling-Out Deployments
. Troubleshooting
T
he preceding chapter covered deployment architectures,
which can help you to decide whether to integrate
SharePoint with Reporting Services on a single machine,
distributed servers, or scalable farms.
Traditionally, you can launch Microsoft software installa-
tion by clicking
setup.exe
without much planning and
troubleshoot if something goes wrong. Customers have
found that installation and configuration of the integration
between SharePoint and Reporting Services can be hard to

troubleshoot. There might also be additional steps needed
to configure your specific deployment environment.
Therefore, we highly recommend that you spend some time
planning the list of tasks for your integrated deployment
before you actually start installation.
The recommended order for setup and configuration is as
follows:
1. Install Reporting Services.
2. Install SharePoint.
3. Configure Report Server for SharePoint mode.
4. Install the RS add-in for SharePoint.
5. Configure SharePoint to work with Report Server.
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
536
CHAPTER 32 Installation of Reporting Services Integrated with SharePoint
NOTE
Basic (default) installation of SharePoint Server will install an Embedded Edition of SQL
Server that is used for storing the SharePoint Content and Configuration databases. If
you are installing SharePoint Server and Reporting Services on the same machine,
note that Reporting Services cannot use the Embedded Edition of SQL Server for stor-
age. You will have to install a database engine from the SQL Server CD along with
Reporting Services.
Installing Reporting Services
Follow the steps from Chapter 6, “Installing Reporting Services.” Step 10 and Figure 6.9
show how to specify the installation mode on the Reporting Services Configuration page.
To pick the default configuration for SharePoint integrated mode installation, select the
Install the SharePoint Integrated Mode Default Configuration option. This option will
configure the Report Server web service, Report Server database, the service account, and

connections needed for access.
An alternative is to pick the Install, but Do Not Configure the Report Server option. This is
called a Files Only mode of installation. This will require post-installation configuration
steps that provide more opportunities to pick URLs, port numbers, and names for web
services and databases.
Installing SharePoint
You can do a fresh install of Windows SharePoint Services 3.0 (WSS) or Microsoft Office
SharePoint Server 2007 (MOSS) or use existing SharePoint deployments to integrate with
Reporting Services. Refer to tutorials or books on WSS and MOSS for information about
topics such as administration of SharePoint farms. For many readers, you are likely to have
existing installations of WSS or MOSS, and your SharePoint administrator can help you
with the integration tasks.
If you are installing a new SharePoint Server, you can reduce the number of database
engines to manage by reusing the SQL Server 2008 database you just installed with SSRS
2008 as your storage location for SharePoint.
NOTE
If your deployment topology includes installing the Report Server and SharePoint Server
on separate machines, remember to install a SharePoint Web Front End (WFE) on the
Report Server computer, too. The WFE type and version should be the same as on the
SharePoint Server (WSS or MOSS) that you are integrating with SSRS. Follow steps 1
through 3 described in the instructions to set up WSS 3.0.
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
537
Configuring Report Server in SharePoint Integrated Mode
Here are the basic steps to set up WSS 3.0 to use for reporting integration:
1. WSS 3.0 is available as a free download as a setup file called
SharePoint.exe
.

Download it and launch
SharePoint.exe
.
2. Click the Advanced installation type and select Web Front End.
3. To configure the WFE, use the SharePoint Configuration Wizard. If you are installing
just a WFE on the machine, choose the Connect to an Existing Server Farm option
and you should be done.
4. To continue to set up a new SharePoint Server, choose the Create a New Server
Farm option.
5. Pick the database server where the SharePoint Configuration database should live.
Note that if you have installed SSRS 2008 already, you can try to use the same data-
base as Reporting Services. You will need to specify Windows account credentials for
WSS to connect to the database. We recommend using a domain account.
6. Create a web application and site collection via the SharePoint Central
Administration application.
7. From the Application Management tab, click the Create or Extend Web Application
link and choose Create a New Web Application.
8. Choose the Use an Existing IIS Web Site option to use the default website.
9. Choose to Create New Application Pool and select the Network service account as
the security account for the application.
10. Click the Create Site Collection link on the Application Created page and pick a
name for the portal site.
11. Enter a Windows domain account as your primary site collection administrator. A
new site collection is created with a top-level site (for example,
http://servername
).
12. If you want, you can create a new subsite (for example, reports) from the top-level
site using the Site Actions drop-down menu on the top right. Now
http://servername/reports
is ready to host any documents (in this case, reports).

Configuring Report Server in SharePoint Integrated
Mode
You can use the Report Server Configuration tool to create a Report Server database in
SharePoint integrated mode and configure the Report Server Service.
Chapter 34, “Tools Support for SSRS Integrated with SharePoint,” is about using tools with
SharePoint mode, and Figure 34.3 shows the Report Server Database Configuration
Wizard, which you can use to create the Report Server database in SharePoint mode.
Note that you have to configure the Report Server Service to run under a domain account
if Report Server and application databases are on one computer and the SharePoint web
application is on another computer. Chapter 33, “SharePoint Mode Administration,”
provides more information about security.
32
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
538
CHAPTER 32 Installation of Reporting Services Integrated with SharePoint
FIGURE 32.1
SharePoint Central Administration: Reporting Services management.
Installing the RS Add-In for SharePoint
Go to www.microsoft.com/downloads and search for “Reporting Services add-in for
SharePoint.”
NOTE
There are multiple versions of the SSRS add-in. You need to download the 2008
Reporting Services add-in for SharePoint for the language of your choice. Version
10.00.2531.00 released on April 7, 2009 is the most current update and includes the
Report Builder 2.0 Click Once update (www.microsoft.com/downloads/
details.aspx?displaylang=en&FamilyID=58edd0e4-255b-4361-bd1e-e530d5aab78f).
Run the
rsSharePoint.msi

on each SharePoint Web Front End (WFE) that is part of your
SharePoint farm and will be used to run and manage reports. Doing so requires SharePoint
farm administrator privileges.
Configuring Report Server Integration Via
SharePoint Central Administration
Launch your SharePoint 3.0 Central Administration and click the Application
Management tab (see Figure 32.1).
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
539
Configuring Report Server Integration Via SharePoint Central Administration
If the RS add-in for SharePoint was properly installed and activated, you should see a
section for Reporting Services with the following links: Grant Database Access, Manage
Integration Settings, and Set Server Defaults. If you don’t see these links, navigate to Site
Actions, Site Settings, Site Collection Features, and find Report Server Integration Feature
in the list and click Activate (see Figure 32.2 and Figure 32.3).
32
FIGURE 32.2
SharePoint Central Administration: Site Collection Features.
FIGURE 32.3
SharePoint Central Administration: Activate Report Server Integration Feature.
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
540
FIGURE 32.4
Reporting Services Application Management: Manage Integration Settings.
FIGURE 32.5
Reporting Services Application Management: Grant Database Access.

Once the Reporting Services section shows up under Application Management, you can
use the various links under it to configure SharePoint to talk to Report Server.
First, click Manage Integration Settings (see Figure 32.4). In the first field, you can specify
the Report Server web service URL, which represents the target Report Server in SharePoint
mode. This is the same value as the web service URL from the Reporting Services
Configuration tool. The second field is a drop-down choice for authentication mode
(between Windows authentication or trusted authentication), which can be selected based
on what type of authentication mode is used for the SharePoint web application.
CHAPTER 32 Installation of Reporting Services Integrated with SharePoint
Now, click Grant Database Access (see Figure 32.5) to allow the Report Server Service to
access the SharePoint Configuration and Content databases. Specify the Report Server
name and database instance name. When you click OK, a pop-up dialog will request
credentials for connecting to the Report Server.
The last link under Reporting Services Application Management is Set Server Defaults (see
Figure 32.6).
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
541
Configuring Report Server Integration Via SharePoint Central Administration
32
The Set Server Defaults option enables you to specify the default for the following
Reporting Services features:
. Report History Default: The ability to limit the default number of snapshots that
can be stored for each report.
. Report Processing Timeout: The ability to time out report processing after certain
number of seconds.
. Report Processing Log: The ability to generate trace logs for report processing.
. Enable Windows Integrated Security: The ability to connect to report data
sources with the user’s Windows security credentials.

. Enable Ad Hoc Reporting: The ability to control whether users can perform ad
hoc queries from a Report Builder report. If this is not set, the Report Server will not
generate clickthrough reports for reports that use a report model as a data source.
. Custom Report Builder Launch URL: The ability to specify the launch URL for
the Report Builder that ships with SQL Server 2008 or Report Builder 2.0.
If you are using a SharePoint farm or a scale-out reporting deployment topology and don’t
want to repeat these configuration steps manually on each server, you can use SSRS
programmability to create configuration scripts. Chapter 33 shows a code sample of how
to do that.
FIGURE 32.6
Reporting Services Application Management: Set Server Defaults.
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
542
CHAPTER 32 Installation of Reporting Services Integrated with SharePoint
Upgrading from SSRS2K5 SP2
If you were already using Reporting Services 2005 SP2 in SharePoint integrated mode, you
can upgrade the 2005 SP2 Report Server to 2008, and you can also do an in-place upgrade
of the 2005 SP2 Reporting Services add-in for SharePoint with the 2008 version.
Scaling-Out Deployments
Here are some security account prerequisites for multiple-server deployments:
. Create or use an existing domain user account to connect the SharePoint WFE to the
SharePoint Configuration database. Server farms require that you use domain
accounts for services and database connections. Otherwise, you will get
Access
Denied
errors.
. Create a SQL Server database login for the domain account with DBCreator
permissions.

. Configure the SharePoint application pool process account to run as a domain user.
. Configure the Report Server Service to run as a domain user account.
Traditional steps for setting up SharePoint farms (refer to SharePoint documentation or
books) and scale-out Reporting Services can be applied. Here are some additional princi-
ples that have to be followed for SSRS scale-out deployments with SharePoint:
. All Report Servers in a scale-out deployment must run in SharePoint integrated
mode. It is not possible to mix and match modes.
. The instance of the SharePoint product (WSS 3.0 or MOSS 2007) that you install on
the Report Server must be the same version as the other nodes in the farm.
. There must be a single URL for the scale-out deployment that is used for configura-
tions in SharePoint farms because there is no support for configuring an individual
SharePoint WFE with individual Report Servers. You can create a single point of
entry to the scale-out deployment via a URL that resolves to a virtual IP for the NLB
cluster for Report Server instances.
Make sure you install the minimum SharePoint installation such as WFE on the SSRS
machines. Otherwise, you will see the error
The Report Server cannot access settings
in the SharePoint Configuration database
.
NOTE
SQL Server Books Online has a helpful article available titled “How to Configure
SharePoint Integration on Multiple Servers” ( />library/bb677365.aspx).
There is also a helpful blog post on distributed server deployment for SharePoint inte-
grated mode at />point-multiple.html.
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
543
Summary
32

Troubleshooting
As mentioned at the beginning of this chapter, customers find various challenges (installa-
tion and configuration) when integrating SharePoint with Reporting Services. Some useful
tips are listed here. If you run into further problems, see Appendix A, “References and
Additional Reading,” for a list of resources (white papers, blogs, and newsgroups) that may
help you to resolve various issues.
. Problems on domain controllers: If the “Grant database access” step fails with
A
new member could not be added to a local group because the member has the
wrong account type
error, make sure your Report Server services accounts are
domain accounts on a domain controller. Otherwise, you will get an error when you
try to add the account to the local WSS_WPG group.
. Problems installing the RS add-in for SharePoint: If you see
User does not
have permission to add feature to site collection
, locate the installation log
created by the RS add-in MSI in the Temp folder (
<Drive>:\Documents and
Settings\<user_name>\Local Settings\Temp\RS_SP_<number>.log
). You should be
able to locate log entries such as the following:
Activating feature to root site collection: <sharepoint_site_collection>
******* User does not have permission to add feature to site collection:
➥<sharepoint_site_collection>
This means that the RS integration feature was installed, but the feature might not
be activated for the
<sharepoint_site_collection>
, because the user who ran the
MSI was not a site collection administrator. To view the RS integration feature in the

site, you need the site collection administrator to activate the Report Server feature.
NOTE
There is a white paper titled “Troubleshooting Integration with SQL Server 2005 and
Microsoft SharePoint Technologies” at />bb969101.aspx. Even though it was created for 2005 SP2, it is relevant for 2008 inte-
gration, too.
Summary
Plan your deployment architecture for integrating Reporting Services with SharePoint care-
fully and follow these setup steps in this order:
1. Install Reporting Services.
2. Install SharePoint technology.
3. Configure Report Server for SharePoint mode.
4. Install the RS add-in for SharePoint.
5. Configure SharePoint to work with Report Server.
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
This page intentionally left blank
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
CHAPTER
33
SharePoint Mode
Administration
IN THIS CHAPTER
. Security Overview
. User Authentication with
SharePoint
. Windows Integrated Security
. Trusted Account with Windows

or Forms Authentication
. User Authorization with
SharePoint
. Programmability
. Configuration Code Sample
. Setting Up Kerberos
Authentication
I
nstallation and configuration of Reporting Services inte-
grated with SharePoint is more than half the challenge for
administration.
Here is a basic checklist that you should have completed
during installation:
. Install a SharePoint Web Front End (WFE) on the
Report Server machine.
. Install the Reporting Services add-in on the
SharePoint Server.
. Activate the Report Server feature in SharePoint
Central Administration.
. Create or point to a Report Server database in
SharePoint integrated mode via the Reporting Services
Configuration tool.
. Configure Report Server integration via SharePoint
Central Administration.
If you did not complete any of those steps, refer for instruc-
tions to Chapter 32, “Installation of Reporting Services
Integrated with SharePoint.”
The other challenges for administration are security, autho-
rization, and programmability. The rest of the chapter
covers these areas.

Security Overview
For SharePoint integrated mode, the Report Server uses the
authentication and authorizations defined in the
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
546
CHAPTER 33 SharePoint Mode Administration
SharePoint web application to control access to report operations. This makes administra-
tion much simpler and primarily driven by the SharePoint administrator.
Reporting Services will process requests based on the SharePoint web application authenti-
cation settings, such as the following:
. Windows with integrated security (Kerberos enabled)
. Windows without impersonation
. Forms authentication
Kerberos is better compared to NTLM when multiple hops are required. So, it is good for
single-server or multiserver deployment scenarios and when external data sources are
involved that use Windows integrated credentials.
Custom security extensions for Reporting Services are not supported with SharePoint
integrated mode. All access to a Report Server in SharePoint Integrated mode originates
from the SharePoint web application. Report Server just sticks to the SharePoint authenti-
cation scheme.
Authorization to access Report Server items from SharePoint sites and libraries is mapped
to the built-in permission model for SharePoint. This means that after SharePoint is inte-
grated with Reporting Services, the existing permission levels of SharePoint users (for
example, Read, Contribute, or Full Control) for the site will apply to report operations,
too. This allows users to publish reports, view reports, create subscriptions, or manage
report items such as data sources.
Reports (
.rdl

), report models (
.smdl
), and report data sources (
.rds
) are SharePoint docu-
ment library items. One of the various menu actions available on these report items is
Manage Permissions. This enables users to set individualized permissions on report items
and is described further in Chapter 36, “Managing Reports in SharePoint.”
User Authentication with SharePoint
Reporting Services process requests are based on the SharePoint web application authenti-
cation settings. Two basic authentication workflows are used between SharePoint and the
Report Server:
. Windows integrated security
. Trusted account
So how do you choose between Windows integrated or trusted account authentication?
Use the Windows Integrated option for Kerberos-enabled environments and in single-box
deployment scenarios. Use Trusted Account mode for forms-based authentication,
Windows authentication when impersonation is not enabled, and other scenarios. If you
are having trouble setting up Kerberos, consider using Trusted Account mode to at least set
up and verify that RS integration with SharePoint works. After you have fixed your
Kerberos issues, you can choose to switch to using Windows integrated. For help with
Kerberos, see the section on setting up Kerberos authentication.
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
547
Windows Integrated Security
An understanding of the various security connections that are involved in completing a
reporting request from a SharePoint site comes in handy when planning or troubleshoot-
ing security for your deployment.

Windows Integrated Security
Figure 33.1 shows the authentication workflow for a SharePoint application that is config-
ured to use Windows integrated security and is integrated with Reporting Services. The
components in the diagram should be familiar from the chapter on the architecture of
SharePoint integration with Reporting Services.
33
To understand the various connections involved in the workflow, follow the numbered
arrows in Figure 33.1:
1. Windows User1 makes a request to render a report from the Report Viewer web part
via SharePoint.
2. The Reporting Services proxy connects to Report Server using the Windows User1
credentials and token.
3. If the connection is successful, Report Server needs to verify whether User1 has
permissions to access and render the report. This is done by connecting to the
SharePoint object model to verify the SharePoint permissions for User1 for the report.
4. If access is allowed, the Report Server proceeds to render the report.
5. Report Server will use the User1 credentials to retrieve and sync the latest copy of
the report from the SharePoint Content DB and then execute the report.
6. The report results are sent back to be displayed in the Report Viewer.
User1
(User1)
HTTP Req
(User1)
HTTP Req
Render
(User1)
(User1)
(User1)
HTTP
RESPONSE

(User1)
HTTP Rsp
SharePoint WFE Report Server
(Service Acct. = User2)
Report
Viewer
web part
Security
Extension
SharePoint Object Model
SSRS
Proxy
1
2 4
6
5
3
Report
Server DB
SharePoint Config/ContentDB
Data Management
Processing
and
Rendering
On-
Demand
Sync
FIGURE 33.1
Authentication workflow using Windows integrated security.
From the Library of STEPHEN EISEMAN

Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
548
Trusted Account with Windows or Forms
Authentication
Figure 33.2 shows the authentication workflow for a SharePoint application that is config-
ured to use forms authorization or Windows without Kerberos. It relies on a predefined
trusted account that has permission to impersonate a SharePoint user on the Report Server.
CHAPTER 33 SharePoint Mode Administration
To understand the various connections involved in the workflow, follow the numbered
arrows in Figure 33.2:
1. Windows User1 makes a request to render a report from the Report Viewer web part
via SharePoint.
2. The SharePoint web application authenticates User1 against the SharePoint object
model and creates a SharePoint user token that contains the user identity and group
membership for User1.
3. The Reporting Services proxy connects to Report Server using User2, the trusted
Windows service account under which the SharePoint web farm is running, and
sends along the User1 SharePoint user token.
4. The Report Server validates whether the connection request is from a trusted
account by comparing User2 to account information that the Report Server retrieved
from the SharePoint Configuration databases when the Report Server started.
5. If the authentication is valid, the rendering request can proceed along with the
User1 SharePoint user token.
6. Report Server needs to verify whether the User1 SharePoint token contains the user
identity and permissions needed to access and render the report.
User1
(User1)
HTTP Req
(User1)

HTTP Req
(User1 SP
Token)
Render
(User1 SP
Token)
(User2)
(User1)
HTTP SOAP
RESPONSE
(User1)
User1 Sharepoint
Token
HTTP Rsp
SharePoint WFE Report Server
(Service Acct. = User2)
Report
Viewer
web part
SharePoint Object
Model
Security
Mgmt
SharePoint Object Model
SSRS
Proxy
1
3
5
7

6
2
8
4
Report
Server DB
SharePoint Config/ContentDB
Data Management
Processing
and
Rendering
On-
Demand
Sync
FIGURE 33.2
Authentication workflow using trusted account authorization.
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
549
User Authorization with SharePoint
33
7. If access is allowed, the Report Server retrieves and syncs the latest copy of the report
from the SharePoint Content DB, and then executes the report.
8. Report Server returns the report results back to the SharePoint WFE using the
Windows trusted account, User2.
9. Reporting Services proxy returns the report results back to the Report Viewer web
part via the original User1 connection.
User Authorization with SharePoint
Authorization to access Report Server items from SharePoint sites and libraries is mapped

to the built-in permission model for SharePoint. So, you need to start with a basic under-
standing of the SharePoint permissions model, which allows securing SharePoint sites and
documents. Inheritance is supported to apply permissions from the site level to all
subsites and from folders to all its documents. Permissions are grouped into sets of permis-
sion levels that can be granted to SharePoint users or groups. Five default permission
levels are available in SharePoint: Full Control, Design, Contribute, Read, and Limited
Access. Think of these as default roles that can be applied to users. SharePoint also
provides default groups that map to some of the predefined permission levels. Adding
users who need to use reports to these default groups is the easiest way to give them the
appropriate level of access to reports. Most of the SharePoint users may already belong to
one of more of these groups:
. Visitors: This group has the Read permission level. Visitors can view reports and
create subscriptions.
. Members: This group has the Contribute permission level. Members can create new
reports, models, report data sources, and other report items in SharePoint or publish
them from design tools to SharePoint.
. Owners: This group has Full Control. Owners can create, manage, and secure all
report items and operations.
Another way to look at it is to map traditional Reporting Services roles from native mode
to SharePoint groups:
. Content Manager: This role has full permissions to all items and operations. This
can be mapped to the Owners group in SharePoint.
. Publisher: This role allows adding and editing of reports, models, and data sources.
This can be mapped to the Members group.
. Browser: This role allows viewing reports and managing individual subscriptions.
This can be mapped to the Visitors group.
. Report Builder: This role allows viewing reports, managing individual subscrip-
tions, and opening and editing reports in Report Builder. The Members and Owners
groups provide these rights, but they provide other privileges, too. If you don’t want
your Report Builder users to have those privileges, you can create a custom group in

SharePoint and assign limited permissions.
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
ptg
550
CHAPTER 33 SharePoint Mode Administration
. System User, System Administrator, My Reports: These roles don’t have an
equivalent mapping because they are not relevant in SharePoint mode.
Table 33.1 is a reference list of SharePoint permissions, regardless of whether they are
included in default SharePoint groups, and the Report Server operations that get enabled
with the permission.
TABLE 33.1
SharePoint Permissions
SharePoint
Permission
Owners Members Visitors Report Server Operation
Manage
Lists
X Create a folder in a SharePoint
library
Manage
report
history
Add Items X X Add reports, report models, shared
data sources, and external image
files to SharePoint libraries
Create shared data sources
Generate report models from
shared data sources
Start Report Builder and create a

new report or load a model into
Report Builder
Edit Items X X Edit or replace report, model, data
source, and dependent report
items
Create report history snapshots or
view past versions of report
history snapshots
Set report processing options and
parameters
Open model or model-based report
in Report Builder and save
changes
Assign clickthrough reports to enti-
ties in a model
Customize Report Viewer web part
for specific report
From the Library of STEPHEN EISEMAN
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.