This documentation is archived and is not being maintained.

Best Practices for Configuring Forms Authentication in Reporting Services

New: 17 November 2008

Deploying a secure, distributed enterprise reporting solution is a challenging process. From report access, to the data sources that supply important, sometimes sensitive data, you have some decisions to make regarding how to securely authenticate and authorize users in your reporting environment.

The type of security you need depends on your reporting environment and the types of security systems already in place. Microsoft Windows Authentication is the primary system for securing reports in Microsoft SQL Server Reporting Services. Windows Authentication offers tight integration with other Microsoft server products; because Reporting Services was designed and tested on Windows Authentication, it is most secure in this environment.

In certain cases, however, you may have to extend the Reporting Services security system to accommodate custom security in your enterprise. You can do this through the rich development platform of the Reporting Services API. This document will present an overview of Forms authentication security extensions in Reporting Services.

You might consider implementing a custom authentication extension if deployment requirements do not include Windows integrated security or Basic authentication. The most common scenario for using custom authentication is to support Internet or extranet access to a Web application. Replacing the default Windows authentication extension with a custom authentication extension gives you more control over how external users are granted access to the report server.

This article talks about the various scenarios for configuring Forms authentication in Reporting Services. For more information about using Forms authentication in Reporting Services, see aspx.

If you want to use Forms authentication or a custom authentication extension in a Reporting Services environment that is integrated with Windows SharePoint Services (WSS) 3.0 or Microsoft Office SharePoint Server (MOSS) 2007, you must configure the SharePoint site to use Forms authentication.

Both Reporting Services and SharePoint products and technologies support Forms authentication. The implementation is different for each product group and they are not compatible. Reporting Services custom authentication extensions are not supported for report servers that run in SharePoint integration mode.

When you have finished configuring Forms authentication for the SharePoint site, the anonymous access must be enabled on the Report Server virtual directory in the IIS.

For information about Forms Authentication in SharePoint products and technologies, see the following technical articles:

Make sure Forms authentication is configured in the Web application and in Reporting Services, because they work independently of each other.

To configure Forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file to the same values for all applications that are participating in shared Forms authentication. Back up the Web.config files of both the Web application and Reporting Services while you set attributes of the forms and machineKey sections of the Web.config files. For more information about how to configure Forms authentication across applications, see Forms Authentication Across Applications in the Microsoft Visual Studio documentation on MSDN.

For more information about how to configure Forms authentication in an ASP.NET application, see

The following issues have been resolved in SQL Server 2005 services packs. To get these fixes, install the newest SQL Server 2005 Service Pack from the down l oad center. These improvements have been documented in the following knowledge base articles: