How to: Configure Service Accounts (Reporting Services Configuration)

  • Article

New: 12 December 2006

To specify the service accounts in a Reporting Services installation, use the Reporting Services Configuration tool so that other settings that depend on the service identity can be updated concurrently.

By default, the Report Server Web service runs under Network Service in Internet Information Services (IIS) 6.0 and under the ASP.NET account in IIS 5.0. You can modify the Web service to run under a different account. If you use a domain account, additional steps might be required before the service is fully operational.

The Report Server Windows service runs under an account that you specify during Setup, but you can change it to run under a different account, or update a password if the previous one expires.

Important

When you modify the Report Server Windows service identity settings, each step in the service account update is recorded in the tasks panel at the bottom of the page. The Report Server Windows service will be stopped and restarted during the account update. Errors that might occur include login failures (for example, if you mistype an account or password). In the unlikely event that the symmetric key is not restored, you can perform this step yourself by clicking Restore in the Encryption Keys page. To verify that the account has been reset properly, open a report that uses stored credentials. If you cannot restore a backup copy of the key, you must delete the encrypted content. For more information, see Deleting and Re-creating Encryption Keys and Backing Up and Restoring Encryption Keys.

Some of the steps for configuring the Web service accounts are from other articles published on the MSDN Web site. For more information about how to configure Web service accounts, see How to create a service account for an ASP on MSDN.

You must be a domain administrator to create domain accounts.

To configure the Report Server Windows service

  1. Start the Reporting Services Configuration tool and connect to the report server.

  2. On the Windows Service Identity page, specify the new account and password. Click Apply.

  3. When prompted to backup the symmetric key, type a password and file name for the symmetric key backup, and click OK.

To configure the Report Server Web service to use a domain account in IIS 6.0

  1. Create a new domain user account by using the Active Directory Users and Computers tool in Control Panel. Give the account a descriptive name. Clear the User must change password at next logon option and select Password never expires. Assign a strong password for the account. Strong passwords should include at least seven characters and have a mixture of uppercase and lowercase letters, numbers, and other characters such as *, ?, or $.

  2. Assign ASP.NET permissions to the new account by running the following command from a command window:

    aspnet_regiis -gaDomainName\AccountName

  3. Start IIS Manager.

  4. In Application Pools, right-click Report Server and click Properties.

  5. Click Identity.

  6. Enter the domain user account. The account cannot be more than 20 characters.

  7. Start the Reporting Services Configuration tool and connect to the report server.

  8. Open the Web Service Identity page to select the application pool you just configured.

  9. Click Apply.

If the network is configured for Kerberos authentication, the domain administrator might need to create a Service Principal Name (SPN) that registers the domain account for the Web site. Otherwise, you might encounter HTTP 401 access denied errors. Be sure that the domain account that you register is the same one used for the application pool. For more information, see Configuring Constrained Delegation for Kerberos (IIS 6.0) on the Microsoft TechNet Web site.

To configure the Report Server Web service to use a domain account in IIS 5.0

  1. Create a new domain user account by using the Active Directory Users and Computers tool in Control Panel. Give the account a descriptive name. Clear the User must change password at next logon options and select Password never expires. Assign a strong password for the account. Strong passwords should include at least seven characters and have a mixture of uppercase and lowercase letters, numbers, and other characters such as *, ?, or $.

  2. Store an encrypted copy of the user account and password in the registry. In a subsequent step, you will reference this registry entry in Machine.config file.

    1. Download the aspnet_setreg.exe utility from How to use the ASP NET utility to encrypt credentials and session state connection strings on www.support.microsoft.com.

    2. Run the following command from the command line, replacing the domain, user name, and password with values that are valid for the account you created in step 1.

      aspnet_setreg -k:Software\MyASPNetApp\Identity -u:"domainname\username" -p:"password"

  3. Open Machine.config using Microsoft Visual Studio or Notepad. Machine.config is located in the following folder: C:\WINNT\Microsoft.NET\Framework\v1.1.4322\CONFIG. Modify the configuration file to reference the registry key you just created by typing the following:

    1. Find the <identity impersonate="false" userName="" password=""/> element.

    2. Replace it with the following entries:

      <identity impersonate="true" 
userName="registry:HKLM\Software\MyASPNetApp\Identity\ASPNET_SETREG,userName" 
password="registry:HKLM\Software\MyASPNetApp\Identity\ASPNET_SETREG,password"/>

  4. Run the Registry Editor to grant Read permissions to the account:

    1. Browse to My Computer/HKEY_LOCAL_MACHINE/SOFTWARE/MyASPNetApp/Identity/ASPNET_SETREG
    2. Right-click ASPNET_SETREG and click Permissions.
    3. Click Add.
    4. Enter the user account you created in step 1 and click OK.
    5. Select the account, click Full Control and click OK.

  5. Assign file permissions to the ASP.NET temporary files folder:

    1. Browse to 'C:\WINNT\Microsoft.NET\Framework\V1.0.4322\Temporary ASP.NET Files'.
    2. Right-click Temporary ASP.NET Files, click Properties.
    3. Click Security, click Add, enter the account, and then select the account so that you can specify permissions on it.
    4. Click Write, and click OK.

  6. Add the account to the report server Windows security groups:

    1. Point to Start, point to Administrator Tools, and click Computer Management.
    2. Open Local Users and Groups and select Groups.
    3. Right-click SQLServer2005ReportingServicesWebServiceUser$<computer_name>$<instance_name>.
    4. Click Add to group.
    5. Click Add.
    6. Enter the account and click OK.

    Note

    Many of the steps in this procedure are from "Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication" on MSDN. For more information about the steps, search for that document on MSDN. For more information about how to use the aspnet_setreg.exe utility, see How to use the ASP on www.support.microsoft.com.

See Also

Tasks

How to: Start Reporting Services Configuration

Concepts

Configuring Service Accounts and Passwords in Reporting Services
Administering the Report Server Web Service and Windows Service

Other Resources

Windows Service Identity (Reporting Services Configuration)
Web Service Identity - Windows Server 2003 (Reporting Services Configuration)
Web Service Identity (Reporting Services Configuration)

Help and Information

Getting SQL Server 2005 Assistance