Planning for Services, Accounts, and Connections
Reporting Services is a distributed server application that consists of multiple components, some of which can be installed on different computers. As part of deployment planning, you will want to consider how users connect to the report server, how the report server connects to its internal database, and how the server connects to the external data sources that provide data to reports. You should also understand which services, accounts, and connections must be configured during or after Setup to make a report server available for operation. Finally, you should know when Administrator permissions are required for running a tool or performing a task.
When planning a Reporting Services deployment, there are three types of connections that you must configure and maintain. First, you must consider how users will connect to the report server. Second, you must consider how the report server connects to the report server database. Third, you must consider how report authors and content managers will define connections to external data sources that provide data to reports.
The following diagram illustrates the connections in a default native mode installation. This diagram provides an introduction to the types of connections that you must define or manage.
For information about SharePoint integrated mode, see Security Overview for Reporting Services in SharePoint Integrated Mode.
The following table provides detailed information about each type of connection.
User connects to the report server
Users and applications connect to a report server through HTTP requests that are directed to a URL that is reserved for and registered to a report server instance. You can configure URLs for SSL connections so that users access the report server over an encrypted channel.
The request is authenticated by the Report Server Web service. By default, users are authenticated using their Windows domain credentials and integrated security, but you can also configure a report server to use basic authentication. Or you can create and deploy a custom authentication extension or HTTP module to replace the default Windows Authentication type with forms authentication or a single sign-on technology. In SharePoint integrated mode, you can also use trusted mode. If the report server uses custom forms authentication, the user connects to the report server through a login that is valid for that authentication extension.
As a best practice, you should use Secure Sockets Layer (SSL) whenever you use Basic authentication, a custom authentication type, or trusted mode,
After the user is authenticated, the report server checks for permissions that authorize access to report server content and operations. Permissions are defined in role assignments that describe which tasks a user can perform. Each user who connects to a report server must have role assignments defined on the account that he or she uses to connect to the report server. For more information, see Granting Permissions on a Native Mode Report Server, How to: Set Permissions for Report Server Items on a SharePoint Site (Reporting Services in SharePoint Integrated Mode), and Comparing Roles and Tasks in Reporting Services to SharePoint Groups and Permissions. For more information about SSL, see Configuring a Report Server for Secure Sockets Layer (SSL) Connections.
Report Server connects to report server database
A report server databases provide internal storage to the report server. The report server connects to the report server databases to store and retrieve content, server state, and metadata. In native mode, reports that are published to the report server are stored in the report server databases. In SharePoint integrated mode, master copies of reports, data sources, and models are stored in the SharePoint content databases. Users and other applications do not connect to the report server database. Only the report server connects to the database.
To create the database and configure the connection, you can either install the report server in the default configuration or use the Database page in the Reporting Services Configuration tool. When you configure the report server database connection, the end result is a database login, permissions that are granted to the account, and the ability to connect to the report server database from the report server service.
The report server can connect to its database using any of the following account types:
Report server connects to external data sources
Reports contain or reference data source connection information and queries that are processed when the report runs. Report models also reference data sources.
To retrieve data used in a report, a report server must connect to other servers that host the external data sources. When the report or model runs, the report server opens a connection to the server or computer, provides the query, waits for the dataset that is returned, and then closes the connection before continuing to the next processing step.
Connections to external data sources are first defined in the report and then managed independently of the report after the report is published. At run time, these connections are made by the report server on behalf of the user who is running the report. The report server passes credentials to specific data sources. For any given data source connection, the report server can get credentials in one of the following ways:
Network topology, domain restrictions, and data source type determine how connections are made and the authentication providers you can use. For example, to open a data source connection using the Windows Integrated security context of the user requesting the report, the following requirements must be met:
The report server does not validate connection or credentials when they are created. To verify whether connection properties are valid, you must run the report. For more information about setting data source connection properties, see How to: Configure Data Source Properties for a Report (Report Manager). For more information about how to connect to an external data source, see Data Connections, Data Sources, and Connection Strings (SSRS) and Specifying Credential and Connection Information for Report Data Sources (SSRS).
Unattended execution account
This account is sometimes referred to as the unattended report processing account or execution account.
When you provide credentials for the unattended execution account, this account is used to run reports and to retrieve images from URLs in report definitions.
You can select this option if the data source does not use credentials (for example, if the data is in an XML document). To connect to a computer that hosts a data source, the report server uses the unattended execution account. You can use the Reporting Services Configuration tool to configure the account. For more information, see Configuring the Unattended Execution Account.
Report server connects to delivery targets
The report server uses a delivery extension to gather the credentials that are used to connect to delivery targets, such as a file share. The delivery extension uses these credentials to connect to the delivery target.
In a Reporting Services installation, there are several services that perform important functions for both interactive and background processing. The following table explains which services are used in a deployment.
Report Server service
A report server is implemented as a Windows service that provides a run time environment for the Report Server Web service, Report Manager, and background processing.
The service is registered and configured during Setup. Initially, it runs under an account that you specify during Setup, but you can change it or update the password in the Reporting Services Configuration tool. Be sure to use the Reporting Services Configuration tool so that dependent settings are updated to use the new account information.
At a minimum, the account you choose must have permission to connect to the network and Allow Log on Locally permission on the report server and report server database computers. Be sure to choose a least-privilege account. If you are deploying Reporting Services on a computer that runs Internet Information Services (IIS), you might want to choose the built-in Network Service account. For auditing purposes, use a dedicated account that is used only by the Reporting Services service.
The service account can be a Windows user account or a built-in account such as Local System. If you specify a domain user account and the report server is deployed in a network that supports Kerberos authentication, you must register the report server Service Principal Name (SPN) with the domain user account you plan to use. For more information, see How to: Register a Service Principal Name (SPN) for a Report Server.
Permissions to access Reporting Services program files are set and managed by Reporting Services when you use Setup or the Reporting Services Configuration tool to configure the account. For more information about permission requirements for the service, see Setting Up Windows Service Accounts.
For more information about how to change the account or password, see Configuring the Report Server Service Account.
SQL Server service
The report server database runs on an instance of a SQL Server 2005 or SQL Server 2008 Database Engine. The Database Engine runs as MSSQLSERVER or as a named instance. This service must be configured and running.
Permission to access the report server database is granted through the RSExecRole which is created with the report server database. This role is created on the MSDB, Master, reportserver, and reportservertempdb databases. For more information about this role, see How to: Create the RSExecRole.
SQL Server Agent service
Reporting Services uses SQL Server Agent service as a timer for triggering events for scheduled processes. This service is required for scheduled operations. It must be configured and running on the database server that hosts the report server database.
SQL Server Agent service must run under a domain account if you configured the report server to connect to SQL Server using a domain account and Windows Authentication (instead of a SQL Server login or Service Account). When the report server runs as a domain user, the report server creates SQL Server Agent jobs that are owned by that domain account. Before SQL Server Agent can route a task to the Scheduling and Delivery Processor, SQL Server Agent must have permission to access job information for jobs owned by a domain account. If SQL Server Agent happens to run as a local user account, the service will not have permission to access domain account information, and report subscription and delivery will subsequently fail.
For more information about scheduled operations and how stopping or restarting the service affects the subscription queue, see Scheduling and Delivery Processor.
SQL Server Browser service
If you are using a named, remote instance of the Database Engine to host the report server database, enable and run the SQL Server Browser service on the remote server. SQL Server Browser provides to the Reporting Services Configuration tool the port number used by the named instance. The Reporting Services Configuration tool uses the port number to connect to the Database Engine when you create or configure the report server database.
Windows Management Instrumentation
Windows Management Instrumentation (WMI) service must be enabled and running on any report server you are configuring. The Reporting Services Configuration tool uses the report server WMI provider to connect to local and remote report servers. If you are configuring a remote report server, the computer must allow remote WMI access. For more information, see How to: Configure a Report Server for Remote Administration.
Remote Procedure Call (RPC)
This service is part of the core operating system and is enabled for Automatic startup by default. Reporting Services uses it to initialize the report server. This service must be configured and running for report server operations. Additionally, DCOM must be enabled with RPC to allow remote administration by using the Reporting Services Configuration tool.
To manage services, accounts, and connections in a Reporting Services installation, the account you are logged in as must be a member of the local Administrators group on the report server computer. Administrator permissions are required for the following:
Run SQL Server Setup.
Run the Reporting Services Configuration tool. If you configure a report server for remote administration, you can run the tool as a non-administrator if you enable permissions. For instructions, see How to: Configure a Report Server for Remote Administration.
Run SQL Server Management Studio if you are not a member of the System Administrator role in Reporting Services.
On Windows Vista or Windows Server 2008, you must be an administrator to configure the report server for local administration. For more information, see How to: Configure a Report Server for Local Administration on Windows Vista and Windows Server 2008 (UAC).
On a server that has an instance of a SharePoint product or technology with which you are integrating a report server instance, you must be an administrator to install and configure the Reporting Services Add-in. Additionally, the user that installs the add-in must belong to the administrator group for the SharePoint site collection. If not, the Reporting Services feature will not be activated after installation, and a member of the administrator group for the site collection must activate the Reporting Services feature for it to work.