Configuring Web Host Security for a Report Server
This topic describes the security settings in Internet Information Server (IIS) that you can use to achieve different deployment objectives with your report server. Web host security is defined during setup for both the report server and Report Manager virtual directories. After setup is complete, you can use IIS to view properties that define directory security.
IIS authenticates a user connection to a report server and Report Manager. Although IIS supports a number of authentication options, a default installation of Reporting Services requires that you use Windows authentication or Basic authentication to access Reporting Services components. The following list describes the authentication approaches that you can use:
- Anonymous access is required if you are using forms-based authentication (supported by a custom security extension that you provide). If you are not using a custom security extension, you should avoid using Anonymous access with a report server. You will not be able to vary role assignments in a meaningful way. For more information, see Securing Reports for Global Access and Implementing a Security Extension.
- Basic authentication is recommended only for deployments that include Secure Sockets Layer (SSL). Microsoft recommends that you use a separate report server if your security model includes Basic authentication. A report server will always choose Windows authentication (NTLM) over Basic authentication, even if the hosting Web server is configured to use both.
- Integrated Windows authentication is the default authentication type for the report server and Report Manager virtual directories. Setup always configures directory security to use this method.
- Digest authentication is not a supported authentication option.
You can specify levels of program execution for specific virtual directories. Reporting Services requires that Report Manager support Scripts and Executables. Report server does not require scripts or execution process support.