Custom Web App and Reporting Services Integration: Part 1, Authentication

The following will be a series on integrating your custom web applications with SQL Server Reporting Services. It is intended to provide useful information for other developers posed with the same problem of integrating these two seamlessly.

A new project came up at work, where we had to develop our own custom web application where users will be prompted to easily select reports, their parameters, and view them seamlessly all from one interface. This means, that we couldn't just direct the users to the interface provided by Microsoft and assume they'd know what to do. Also, due to requirements by the client, the reports should be available to only certain users with authentication resorting back to Windows / Active Directory.

In part 1, I will discuss the method we took to integrate these two applications seamlessly by only being prompted once for windows credentials, or no prompt at all (using your signed on domain credentials). In our situation, the client is still running Novell, so Active Directory integration was out of question, so windows authentication will need to be handled by the reporting / web server.

An important item to note is when integrating the two items on different servers and not using active directory, seamless integration is not possible unless you manage to keep the users / groups in sync with each server (a challenge upon its own). Therefore, due to this requirement, the rest of the article will be based on single server or Active Directory authentication.

Authentication Methodology:
When developing your application, it is best to use windows groups to control authorization to the various reports and different sections of your web application. In our instance, we needed two different groups - Users and Admins. Users in the Admins group would have access in our application the ability to enter new information, while users in both groups had the ability to view all the reports.

Our first step was to create our groups and add the various users to the appropriate groups through the standard windows management console. Once our groups were setup, configuration of Reporting Services to allow the two groups access to view reports only was our next step (Note, this entry will not describe the methods for doing this as there are lots of resources to help you). Now that we're all ready to go, and the authorization to the reports have been tested properly using the Microsoft user interface in Reporting Services, its now onto configuring our custom web application to use windows authentication (again, we will not go into too much detail, but examples will be shown).

Okay, so open your Web.Config file for your custom web application, and add the following entries under your system.web node:

<authentication mode="Windows" />
    <allow roles="<SERVER_NAME or DOMAIN>\Users" />
    <allow roles="<SERVER_NAME or DOMAIN>\Admins" />
    <deny users="*" />
<identity impersonate="true" />

For any subdirectories that you wish to have different authorization on, follow the same template listed above, but leaving out the "authentication" and "identity" elements. In our instance, we needed a subdirectory called "Administration" that only users in the Admins group can gain access. So, after creating the sub directory, we created another Web.Config file in that subdirectory and added the following to the system.web node (Note that there are other methods of doing this type of configuration using a single Web.Config however for ease of example two Web.Configs are used):

    <allow roles="<SERVER_NAME or DOMAIN>\Admins" />
    <deny users="*" />

To briefly explain what we've done for authentication is told our web application to use the Windows mode of authentication. We then authorized only users in the Users and Admins roles access, and denied everyone else. Lastly, the application will impersonate the user that is currently logged in. This is a key concept since we'll be using credentials in part 2 and sending them with the Reporting Services API.

So, now our custom web application is setup - however there are still some settings within IIS that we need to set. The following settings were those that I found to work with our single server setup with no Active Directory verification, so you may need to fiddle with these if using Active Directory. To set the IIS permissions properly, open up IIS, find your Web Application, and view the properties. Click on the "Directory Security" tab, and hit the "Edit..." button for Authentication control. Once the new dialog has opened, uncheck "Anonymous access", ensure "Basic authentication" is checked, and "Integrated Windows authentication" is checked.

Launch your favorite flavor of an internet browser, go to your custom web application and see the magic work. You should immediately be prompted (unless using Active Directory & Digest mode, in which case if your currently logged onto the domain will pass directly through) for your username and password. After typing your credentials, you should be able to log in successfully to your web application. So, go ahead, take a deep breath and pat yourself on your back.

Part 2 will discuss using the Reporting Services API and your custom web application to provide that seamless look to your application.

1 Comment

Comments have been disabled for this content.