Reporting Services Scale-Out Setup with Kerberos Delegation

A common configuration for SQL Reporting Services is to use a scale-out setup. The reason for this is the performance of the rendering (or pagination) of the reports is relatively processor intensive (at the time of this article SQL Server 2005) Along with this setup comes an intrinsic problem. By default, SQL Reporting Services uses integrated authentication with impersonation. In other words, SQL Reporting services uses an authentication scheme that integrates with Active Directory in order to provide access and administrative priveliges. When Reporting Services is installed on the same machine as the database engine, this does not pose any issues. However with a scale-out setup, it does. This obstacle is known as the “double-hop” issue. Why? Because user credentials cannot be passed from one machine to another without a setting up Kerberos Delegation. In this article we will go over how to accomplish this setup and the typical obstacles you may need to overcome. There are a few prerequisites to setting up Kerberos delegation. All computers accessing the application must be in the same domain. The time of all computers must be synchronized using the time service. Kerberos ports must be open if going through a firewall. Client browsers must be setup to allow integrated authentication. Clients must be domain users. All clients must be running Windows 2000 or greater. All client’s browsers must be IE 5+ Functional level of the domain is set to Windows 2003 (highly preferable but not required) Physical Layout Depending on your infrastructure design, […]

Continue reading ...