Implementing a Security Extension
A security extension enables the authentication and authorization of users or groups in Reporting Services. Reporting Services enables different users to log into a report server and, based on their identities, perform different tasks or operations. By default, Reporting Services uses a Windows-based extension to authenticate the identities of users who claim to have Windows accounts on the system. For authorization, Reporting Services uses a role-based security system similar to the role-based security models of other technologies. For more information about role-based security in Reporting Services, see Understanding Role-Based Security.
Although Reporting Services supports authentication and authorization of Windows NT users or groups, you may need to extend the Reporting Services security system to accommodate custom security in your enterprise. Custom authentication and authorization may be appropriate for extending Reporting Services in the following cases:
- You have an internet or extranet application where users do not have Windows accounts.
- You need for users to have a single sign-on experience, which authenticates and authorizes users to multiple applications in a custom business solution that includes Reporting Services.
- You have a custom user store for user names and passwords or you are using Lightweight Directory Access Protocol (LDAP) to authenticate users and to set security policies.
Security extensions are .NET-managed assemblies that support the interfaces described in the Microsoft.ReportingServices.Interfaces Namespace documentation.
Note The report server does not support authentication and authorization of users through multiple security extensions..
Security Note To secure communication between clients and the report server, user credentials must be sent over a network using a combination of Secure Sockets Layer (SSL) and Internet Protocol Security (IPSec). This includes the connectivity between an application and the Reporting Services Web service and the communication between a custom security extension and custom security authority.
WARNING – Security Risk
Designing authentication and authorization mechanisms requires a high degree of computer programming expertise, and failure to take appropriate security measures can result in a serious security risk. For example, improperly encrypting, storing, or retrieving user credentials can open up your report server to unauthorized users, as can improperly authorizing Reporting Services operations. Accordingly, extending the authentication and authorization functionality of Reporting Services is not recommended without the assistance of Microsoft support professionals.
If you have any questions or concerns regarding Reporting Services security extensions, please contact Microsoft Consulting Services (MCS), Premier Support Services (PSS), or another Microsoft support services representative.
Although the programmatic interfaces for developing a custom security extension are documented in Books Online, detailed development and deployment information for security extensions is not available at this time. Further documentation for this feature will be available outside of Books Online. For the latest technical resources, visit the Reporting Services Web site.