What I learned this week is that Reporting Services security is annoying as
hell. :-)
I'm curious if there is any logical reason that you cannot create a
subscription out of
a report that references the User!UserID? Perhaps I can see why some other
values
in User! may not be available, but the subscription is clearly associated
with the username
that created it, so I cannot even conceieve why there would be a limitation
like that.
Second, I was curious about the context under which a scheduled report is
executed.
The restriction above seems to indicate that it is run under the context of
some unknown
generic user, but my experience below seems to indicate otherwise.
The nuts and bolts of it is that I am receiving the infamous
"ServerConfigurationErrorException:
The Report Server has encountered a configuration error; more details in the
log files,
AuthzInitializeContextFromSid: Win32 error: 5; possible reason - service
account doesn't
have rights to check domain user SIDs.". I started with the server running
as NETWORK
SERVICE, changed to LOCAL SYSTEM, and am finally using a domain account that
clearly has access to the domain controller to lookup SIDs.
My confusion here is that if *I* create a subscription (being an
administrator) the
subscription runs fine. If any other user creates the subscription, it will
fail with the error
above. I'd sure like some insight into how this authorization crap works to
help track
down the problem.
Thanks,
Joel
jdk6 at case dot eduJoel,
> I'm curious if there is any logical reason that you cannot create a
> subscription out of
> a report that references the User!UserID?
There is a good reason and it is that subscriptions are executed in an
unattended mode by the RS Windows service so any user context is irrelevant.
> Second, I was curious about the context under which a scheduled report is
> executed.
> The restriction above seems to indicate that it is run under the context
of
> some unknown
> generic user, but my experience below seems to indicate otherwise.
Under the context of the RS Windows service account.
Every user with Create Subscription rights should be able to create
subscriptions. From there, it is the RS Windows service responsibility to
handle the subscription.
--
Hope this helps.
----
Teo Lachev, MCSD, MCT
Author: "Microsoft Reporting Services in Action"
Publisher website: http://www.manning.com/lachev
Buy it from Amazon.com: http://shrinkster.com/eq
Home page and blog: http://www.prologika.com/
----
"Joel D Kraft" <jdkraft2@.nospam.nospam> wrote in message
news:eaWoPv4mEHA.316@.TK2MSFTNGP10.phx.gbl...
> What I learned this week is that Reporting Services security is annoying
as
> hell. :-)
> I'm curious if there is any logical reason that you cannot create a
> subscription out of
> a report that references the User!UserID? Perhaps I can see why some
other
> values
> in User! may not be available, but the subscription is clearly associated
> with the username
> that created it, so I cannot even conceieve why there would be a
limitation
> like that.
> Second, I was curious about the context under which a scheduled report is
> executed.
> The restriction above seems to indicate that it is run under the context
of
> some unknown
> generic user, but my experience below seems to indicate otherwise.
> The nuts and bolts of it is that I am receiving the infamous
> "ServerConfigurationErrorException:
> The Report Server has encountered a configuration error; more details in
the
> log files,
> AuthzInitializeContextFromSid: Win32 error: 5; possible reason - service
> account doesn't
> have rights to check domain user SIDs.". I started with the server
running
> as NETWORK
> SERVICE, changed to LOCAL SYSTEM, and am finally using a domain account
that
> clearly has access to the domain controller to lookup SIDs.
> My confusion here is that if *I* create a subscription (being an
> administrator) the
> subscription runs fine. If any other user creates the subscription, it
will
> fail with the error
> above. I'd sure like some insight into how this authorization crap works
to
> help track
> down the problem.
> Thanks,
> Joel
> jdk6 at case dot edu
>
>|||> Joel,
>> I'm curious if there is any logical reason that you cannot create a
>> subscription out of
>> a report that references the User!UserID?
> There is a good reason and it is that subscriptions are executed in an
> unattended mode by the RS Windows service so any user context is
> irrelevant.
> > Second, I was curious about the context under which a scheduled report
> > is
>> executed.
>> The restriction above seems to indicate that it is run under the context
> of
>> some unknown
>> generic user, but my experience below seems to indicate otherwise.
> Under the context of the RS Windows service account.
> Every user with Create Subscription rights should be able to create
> subscriptions. From there, it is the RS Windows service responsibility to
> handle the subscription.
Well at least your answers are consistent! :-)
Which is what I expected, though I cannot say that I agree.
My problem still remains then, is why when I create a subscription as an
administrator,
my subscription is delivered properly, but a subscription created by a
normal user
gets an AuthzInitializeContextFromSid error. This seems inconsistent with
the report
being solely run from the context of the RS Service account... if it had
permission
to process my subscription correctly, it should be able to do them all!!
This is RS 2000 SP1 under Windows 2003 and a Windows 2000 domain
functional level. "Authenticated Users" has the rights to read all of the
user and
group objects...
Joel|||Check the following thread:
http://groups.google.com/groups?q=AuthzInitializeContextFromSid&hl=en&lr=&ie=UTF-8&selm=O4qGzyL%24DHA.1700%40TK2MSFTNGP12.phx.gbl&rnum=7
--
Hope this helps.
----
Teo Lachev, MCSD, MCT
Author: "Microsoft Reporting Services in Action"
Publisher website: http://www.manning.com/lachev
Buy it from Amazon.com: http://shrinkster.com/eq
Home page and blog: http://www.prologika.com/
----
"Joel D Kraft" <jdkraft2@.nospam.nospam> wrote in message
news:%23uO7VJ5mEHA.3296@.TK2MSFTNGP10.phx.gbl...
> > Joel,
> >
> >> I'm curious if there is any logical reason that you cannot create a
> >> subscription out of
> >> a report that references the User!UserID?
> >
> > There is a good reason and it is that subscriptions are executed in an
> > unattended mode by the RS Windows service so any user context is
> > irrelevant.
> > > Second, I was curious about the context under which a scheduled report
> > > is
> >> executed.
> >> The restriction above seems to indicate that it is run under the
context
> > of
> >> some unknown
> >> generic user, but my experience below seems to indicate otherwise.
> >
> > Under the context of the RS Windows service account.
> >
> > Every user with Create Subscription rights should be able to create
> > subscriptions. From there, it is the RS Windows service responsibility
to
> > handle the subscription.
> Well at least your answers are consistent! :-)
> Which is what I expected, though I cannot say that I agree.
> My problem still remains then, is why when I create a subscription as an
> administrator,
> my subscription is delivered properly, but a subscription created by a
> normal user
> gets an AuthzInitializeContextFromSid error. This seems inconsistent with
> the report
> being solely run from the context of the RS Service account... if it had
> permission
> to process my subscription correctly, it should be able to do them all!!
> This is RS 2000 SP1 under Windows 2003 and a Windows 2000 domain
> functional level. "Authenticated Users" has the rights to read all of the
> user and
> group objects...
> Joel
>
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment