Out of the box, SSRS supports Windows authentication and authorization. If you need to have custom authentication, SSRS provides this through custom authentication (or security) extensions. You have to develop a new security extension to handle custom authentication. .NET Framework greatly simplifies Windows and Basic authentication handling through classes in the System.Net namespace. Prior to deciding which authentication method to use, consider security implications of each form of authentication and SSRS virtual directory settings in IIS; see Figure 25.3. Figure 25.3. SSRS virtual directory settings in IIS.
As you might recall, we leveraged the .NET Framework to set Windows credentials in the GeTReportXML2005() method earlier in this chapter: rs.Credentials = System.Net.CredentialCache.DefaultCredentials; To pass Basic authentication credentials, you can substitute the preceding code with the following code: rs.Credentials = new System.Net.NetworkCredentials("user name", "password", "domain"); The credentials must be set prior to the use of any methods in SSRS web service. Calls to a web service method prior to setting credentials receive an error: HTTP 401 Error: Access Denied . To increase security of web method calls, an administrator can configure IIS and SSRS to use SSL communications. SSRS uses SecureConnectionLevel (located in RSReportServer.config ) to determine which web service methods require SSL connection. The default is (noted in the configuration as <Add Key="SecureConnectionLevel" Value="0" /> ). SecureConnectionLevel has four levels that affect URL and SOAP interfaces that SSRS exposes:
|