locked
Reporting Services Authentication Problem RRS feed

  • Question

  •  

    I have made a clean CRM 4.0 install, one machine setup, with sql server

     

    CRM 4.0's internal reports works fine on the reportserver but,

     

    I have created an external report using visual studio 2005 and deployed that rdl and rds file to reporting server.

     

    I am using this external report in an iframe located in a CRM entity form (like account)

     

    When i am using this from and report logged in to the server machine , it works like a charm

     

    but if i connect to crm from another machine in the domain, which i am logged in as user A, and who is a CRM user, and who is a member of all the groups that CRM 4.0 install created (like sql reporting groups), and who is also granted full control in SRS to that reports folder, it asks for login information when i open the form that includes the report in iframe, so i fill in the logged on users credentials but it says access denied

     

    i figured that, if i type http://computername/reportserver it asks for login ( and it should not becouse i am logged on to the domain and should continue with windows authentication, and when i give the credentials for A it says access denied

     

    if i type http://ipaddress//reportserver it again asks for login and when i give the credentials of A it logs in

     

     

    So what is the correct way to give a CRM user access to the non CRM reports in reporting server?

    I am going crazy here

    pls help asap

    thx

    Wednesday, August 6, 2008 12:28 PM

Answers

  • Code Snippet

     

    On the client machine go into IE (I am assuming this is the browser you are using) and open the 'Internet Options'.  Then go to the security tab and select the 'Local Intranet' option.  Go into sites and add ' http://computername' it.  You may also want to add the FQDN to the sites i.e. 'http://computername.domain.suffix'.  Restart IE and test the report again.

    Also swith or 'Restrict cross-frame scripting' on the iframe in your CRM form.

     

     

    Well already tested that, does not work

     

    Code Snippet

    If this still does not work, look into installing the CRM 4.0 SRS Connector (on the installation CD).  The SRS connector resolves the double hop authentication issues experienced with Kerberos sticking in it's ugly nose.

     

     

     

    Does not work also,

     

    I found that, this is an issue with Kerberos authentication, as can be seen from the event viewer.

     

    After adding the ip address to trusted sites, and setting its security to low ( maybe setting user logon value to send logon credentials automatically could be just enough ) i was able to visit the reportserver and report manager from the ip adress like http://192.168.1.1/reportserver so i have hardcoded the ip adresses in the iframe scripts as an ugly solution

     

    May be if i could force SRS to use NTLM or both CRM and SRS to not to use Kerberos, and use impersonation ( that should be on by default ) would i solve the problem? or is it possible to force NTLM?

     

    ps : btw, i know that using domain account as service account needs trust, and setting SPN's, i did set SPN's for http and SQLSVC, but that also did not work

    Wednesday, August 13, 2008 2:57 PM

All replies

  • For More see MS CRM Support section

     

    http://support.microsoft.com/ph/12976

     

    Regards,
    Imran

    http://www.crmxperts.com


     

     

    Wednesday, August 6, 2008 12:36 PM
    Moderator
  • Thanks for the quick reply,but i checked them all , none covers my situation

     

    Wednesday, August 6, 2008 2:07 PM
  • try turning on custom errors (if you get an error message), ive had a similar problem before which has been caused by Sql permissions. but i couldnt get to the route of the issue without turning on the remote errors.

     

     

    Thursday, August 7, 2008 12:13 PM
  • turning on custom errors?

     

    can you give more details

    Thursday, August 7, 2008 2:53 PM
  • Hi,

    1.Is your pc same domain with CRM and Reporting Services Server?
    2.Is Reporting Services and CRM in same machine (I think, no)

    Can you try those steps;

    1.Please look at the Active Directory for your CRM Server and Reporting Server is trusted? If not, check it.
    2.Please look at the Active Directory for your user? Is it in a Reporting Group? If not, add it.
    3.Is Reporting Service url added internet explorer trusted zone ? If not, add it.

    Please apply this steps.


    And if your dns didn't find your server ip address, you have a problem on your ip ranges (like dns ip)


    Baris KANLICA
    Software Specialist and Consultant
    www.cub-e.net

    Friday, August 8, 2008 11:23 AM
  • Hi Baris,

     

    1 ) yes

    2 ) strange but yes

     

     

    1 ) should check and report back

    2 ) yes it is a member of the reporting group that CRM install created, and alsa given permissions from report manager for the directory

    3 ) really needed?, will try

     

     

    thx
    Saturday, August 9, 2008 12:46 PM
  • Hi,

     

    When you say 'deploy', did you add the report to CRM through the 'Add Report' feature in CRM?  If not, you might want to try that.  You can set the report to 'Not Visible' in the CRM reports section so users do not access it.

     

    Regarding Dev Errors:

     

    Dowload the CRM diag tool and follow the instructions to turn Dev Errors on.

     

    http://blogs.msdn.com/benlec/archive/2008/03/04/crmdiagtool4-for-microsoft-crm-4-0-has-been-released.aspx

     

    You can also turn Dev Errors on through the config file but the diag tool is the easiest with fewer steps.

     

    Best Regards,

     

    Saturday, August 9, 2008 2:16 PM
  • Code Snippet

    1.Please look at the Active Directory for your CRM Server and Reporting Server is trusted? If not, check it.

     

     

    How?

     

    Code Snippet

     

    2.Please look at the Active Directory for your user? Is it in a Reporting Group? If not, add it.

     

     

    it is in all of the groups creted by crm install including reporting groups

     

    Code Snippet

    3.Is Reporting Service url added internet explorer trusted zone ? If not, add it.

     

     

    yes, no change
    Wednesday, August 13, 2008 7:33 AM
  • Hi ysg,

     

    There are 2 important things you can look at that might help you.

     

    1st.

    On the client machine go into IE (I am assuming this is the browser you are using) and open the 'Internet Options'.  Then go to the security tab and select the 'Local Intranet' option.  Go into sites and add ' http://computername' it.  You may also want to add the FQDN to the sites i.e. 'http://computername.domain.suffix'.  Restart IE and test the report again.

    Also swith or 'Restrict cross-frame scripting' on the iframe in your CRM form.

     

    If this still does not work, look into installing the CRM 4.0 SRS Connector (on the installation CD).  The SRS connector resolves the double hop authentication issues experienced with Kerberos sticking in it's ugly nose.

     

    I am confident that the first one should resolve your problem though.

    Wednesday, August 13, 2008 8:41 AM
  • Code Snippet

     

    On the client machine go into IE (I am assuming this is the browser you are using) and open the 'Internet Options'.  Then go to the security tab and select the 'Local Intranet' option.  Go into sites and add ' http://computername' it.  You may also want to add the FQDN to the sites i.e. 'http://computername.domain.suffix'.  Restart IE and test the report again.

    Also swith or 'Restrict cross-frame scripting' on the iframe in your CRM form.

     

     

    Well already tested that, does not work

     

    Code Snippet

    If this still does not work, look into installing the CRM 4.0 SRS Connector (on the installation CD).  The SRS connector resolves the double hop authentication issues experienced with Kerberos sticking in it's ugly nose.

     

     

     

    Does not work also,

     

    I found that, this is an issue with Kerberos authentication, as can be seen from the event viewer.

     

    After adding the ip address to trusted sites, and setting its security to low ( maybe setting user logon value to send logon credentials automatically could be just enough ) i was able to visit the reportserver and report manager from the ip adress like http://192.168.1.1/reportserver so i have hardcoded the ip adresses in the iframe scripts as an ugly solution

     

    May be if i could force SRS to use NTLM or both CRM and SRS to not to use Kerberos, and use impersonation ( that should be on by default ) would i solve the problem? or is it possible to force NTLM?

     

    ps : btw, i know that using domain account as service account needs trust, and setting SPN's, i did set SPN's for http and SQLSVC, but that also did not work

    Wednesday, August 13, 2008 2:57 PM
  • What is your datasource for this report on the Report Server? 

     

    If you have not already, try the following:

    1. Go to your report on the Report Server and select the Edit icon
    2. Select Datasources from the left navigation menu
    3. Select Custom Datasource
    4. Select Connection Type = Microsoft SQL Server
    5. Enter the Connection String in the following format:
      • Data Source=(name of your SQL sever);Initial Catalog=(name of your CRM database)
      • If your SQL server name is CRMSQL and your database name is MyCompanyMSCRM the connection string would look like this:
      • Data Source=CRMSQL;Initial Catalog=MyCompanyMSCRM
    6. Select Connect Using = Credentials stored securely in the report server
    7. Enter your CRM Admin login and password
    8. Select the checkbox 'Use as Windows credentials when connecting to the data source'

    Select Apply

     

    Best Regards,

     

    Wednesday, August 13, 2008 3:10 PM
  •  

    Thanks for your reply, but tried it
    Thursday, August 14, 2008 6:15 AM
  • Hi Donna,

    http://social.microsoft.com/Forums/en-HK/crmdeployment/thread/ec025168-9844-4ac4-b62e-3021d5ee54e7?prof=required

    Viewing the document: rssetuptfd_v2.docx (available for download from above website), I noticed I am using -

    Configuration 4: Separate Servers (Reporting Services, Microsoft SQL Server, and Microsoft Dynamics CRM on separate servers). For Data Source I enabled - Prompted Credentials, Use as Windows credentials when connecting to the data source.

    When users run SQL Report from SSRS report manager, they are prompted to enter username and password for every report. They are only able to view the data or info from the CRM Business Unit that they belong to in CRM, so crm security is working ok for SQL Reports (SQL reports - inhouse custom developed SQL reports - not CRM reports). Although it works as expected, I would like to implement Windows Authentication since it would allow users to run SQL reports without having to enter their domain logon credentials every time. I know kerberos might be the fix as your document (rssetuptfd_v2.docx) explains, but has anyone successfully implemented it with Configuration 4: Separate Servers.

    Saturday, May 28, 2011 12:54 PM