• [September 19, 2007]
  • The Differences Between Authentication Modes
  • By:  Stacia Misner
  • Cover Story
  • InstantDoc #96842
  • Web Exclusive from SQL Server Magazine
Main Article    Information Integration: SSRS and MOSS 2007

To select the appropriate authentication mode for your MOSS Web application configuration, here’s a quick guide to the differences between the available modes.

Trusted Account, Forms Authentication, or Windows Authentication with Trusted Accounts. If you configure the MOSS Web application to use Forms Authentication or Windows Authentication without enabling Kerberos, you must create a domain user account that is authorized to connect to your data source and use stored credentials because the MOSS Web application can’t forward the user’s credentials in this scenario. MOSS still authenticates the user and manages what the user can see and do, but external queries will run in the context of the trusted account.

Windows Authentication. Windows authentication mode works only when you enable Kerberos. When the user connects to the MOSS site, the Web application authenticates the user. When the user requests a report item, the application sends the user’s credentials to the report server to confirm that the user has access to that server. If so, the report server uses the credentials to authorize access to the requested item or operation and allows or denies the request as applicable. If a requested report uses a data source to retrieve data from yet another server, the credentials can be passed to this third server if the data source is configured to use Windows Integrated Security.

End of Article


You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Useless: the dialog box in Central Administration has two options: Windows Authentication and Trusted Account. Why not have one paragraph describing Windows Authentication and when you use it, and a second paragraph describing Trusted Account and when you use it? Simple. Instead your first paragraph rambles on about Trusted Account, Forms Authentication, or Windows Authentication with Trusted Accounts. I am then left none the wiser.

ckangai- March 29, 2008

Article Rating 2 out of 5

ckangai, thanks for your feedback. We've forwarded your comment to the author, Stacia Misner. She's currently unavailable this week but said she'll respond to your questions next week. Thanks for reading! Anne Grubb, Web site editor, SQL Server Magazine

AnneG_editor- April 02, 2008

Article Rating 4 out of 5

Apologies for the late reply - I was traveling a great deal these last many weeks and unable to look at this sooner.

You are right that the Reporting Services integration settings in Central Admin's Application Management only allow you to specify Trusted Account or Windows Authentication, but there is another setting that has an impact: Application Management > Authentication Providers - hence the phrasing "MOSS Web application - not RS integration settins. Each Web application can be configured to use Windows, Forms, or Web single-sign on authentication.

So if you DO NOT want to use Kerberos - you can do the following: - Trusted Account: Set Auth provider as Windows, set RS integration as Trusted Account, and then you MUST use a data source configured to use stored credentials. - Forms Authentication: Set Auth provider as Forms, set RS integration as Trusted Account, and then you MUST use a data source configured to use stored credentials - Windows Authentication with Trusted Accounts: Set Auth provider as Windows, set RS integration as Trusted Account, and then you MUST use a data source configured to use stored credentials AND selectthe stored credentials' checkbox "use as Windows credentials"

If you DO want to use Kerberos (or if RS and data source are on the same server), you do the following: - Set Auth provider as Windows, set RS integration settings as Windows Authentication AND set SharePoint to use delegation (see http://technet.microsoft.com/en-us/library/cc263284.aspx).

The above is sufficient if you're using a data source on same box with user credentials because the server isn't forwarding the credentials. If you're passing the credentials to another server, then you must configure Kerberos in your domain for the SharePoint server (a good resource for this is http://blogs.msdn.com/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-conf iguration-for-sharepoint.aspx).

smisner- May 15, 2008

Article Rating 5 out of 5

 
 

ADS BY GOOGLE