Securing Reports for Global Access
The default security model in Reporting Services is based on Windows authentication. Windows authentication works best if you are deploying Reporting Services in an intranet scenario. However, if your deployment model requires Internet or extranet access, you may need to supplement or replace Windows authentication with a custom authentication scheme that gives you more control over how external users are granted access to the report server.
In this release of Reporting Services, you can supplement or replace the default Windows security extension with a custom security extension that you create and deploy. The following requirements and recommendations apply to custom security:
- Custom security extensions are supported in the Enterprise Edition of Reporting Services. The Standard Edition does not support custom security.
- Custom security should include a Web form that collects the user name and password, which are then processed and stored. You should use Secure Sockets Layer (SSL) to ensure that this information is transmitted securely.
- Custom security requires that you configure the Web server to use Anonymous Access.
Alternatives to Custom Security Extensions
If you want to support external users but do not want to code a custom security extension, you can use Windows authentication or Microsoft Active Directory. The following guidelines describe how to support this scenario:
- Create a low-privileged domain user account with read-only permissions. The account must have access to the computer hosting the report server.
- Create role assignments that map the user account to specific items in the report server folder hierarchy. You can limit access to read-only operations by choosing the Browser predefined role for the role assignment.
- Configure data source connections to use Windows NT Integrated Security if you want to access a data source using the security context of the user. Alternatively, you can use stored credentials that specify a different account. This approach is useful if you want to query the external data source using an account that is different from the account that allows access to the report server. For more information about these options, see Specifying Credential and Connection Information.