I recently installed SSRS (2008 R2) on my Win7 workstation and then spent a good amount of time finding out why I was always being asked for my Username and Password by Internet Explorer – even when I started IE under ‘Run as administrator’. I googled and googled (binged and binged? er, nah!) and all of the suggestions/solutions I came across didn’t work for me. It was incredibly annoying. I started to think setting up SSRS was just gimp.
However, after persisting for several hours, I finally discovered it actually had nothing to do with my SSRS configuration and everything to do with my IE configuration.
In particular, I needed to configure the “Security” for my “Local intranet”:
According to Microsoft, to determine whether a web page originates from the “Local intranet”:
When Internet Explorer opens an HTML page, a dynamic-link library named Urlmon.dll determines the zone from which the page was loaded. To do this, Urlmon.dll performs the following two steps:
- Determines whether a proxy server retrieved the HTML page. If it did, Urlmon.dll automatically recognizes that the page originated on the Internet. If it did not, Urlmon.dll determines whether the page originated on your company’s intranet, based on the proxy server configuration.
- Checks the registry to see whether the page is from a trusted or a restricted location, and whether the security zone is set appropriately.
So, although the above “Internet Options” dialog box suggests there are four “zones”, the above two-step logic shows that there are really only two (Internet and Intranet) and that each of these is qualified further by any specifically named sites in “Trusted sites” or “Restricted sites”.
Returning to the question of your proxy server configuration, you can see this in Internet Options > Connections > LAN Settings. If, like me, you are installing SSRS on your home machine then the chances are you don’t use (or need, for that matter) a proxy server. So how does IE know if an HTML page comes from the Internet or the Intranet? Well, you get to select its behaviour from a list of defaults. If you click on the “Sites” button (see the abovepictured “Internet Options” dialog box) you’ll see a new dialog box opens:
Again, according to Microsoft:
- Include all local (intranet) sites not listed in other zones. Intranet sites, such as http://local, have names that do not include dots. In contrast, a site name that does contain dots, such as http://www.microsoft.com, is not local. This site would be assigned to the Internet zone. The intranet site name rule applies to File URLs as well as HTTP URLs.
- Include all sites that bypass the proxy server. Typical intranet configurations use a proxy server to gain access to the Internet but have a direct connection to intranet servers. The setting uses this kind of configuration information to distinguish intranet from Internet content. If your proxy server is configured otherwise, you should clear this check box and then use other means to designate the Local intranet zone membership. For systems without a proxy server, this setting has no effect.
- Include all network paths (UNCs). Network paths (for example, \\servername\sharename\file.txt) are typically used for local network content that should be included in the Local intranet zone. If some of your network paths should not be in the Local intranet zone, clear this check box and then use other means to designate the Local intranet zone membership. In certain Common Internet File System (CIFS) configurations, for example, it is possible for a network path to reference Internet content.
So, http://localhost will be an intranet site provided the first box (“Include all local (intranet) sites not listed in other zones”) is checked. If you’re not completely convinced then you also get the opportunity to specifically name sites by clicking on the “Advanced” button (Internet Options > Security > Local Intranet > Sites > Advanced):
After clicking on “Add”:
Note that the “Require server verification (https:) for all sites in this zone” box is unchecked.
Having now configured how to distinguish between Internet and Intranet sites (and having specified http://localhost as an Intranet site) we now need to deal with the annoying User Authentication prompt by setting the “Security level for this zone”.
Without changing your current settings, click on the “Custom level…” button and scroll to the bottom of the opened list. There you will see the all important setting for User Authentication.
To prevent the annoying User Authentication prompt from appearing when you attempt to navigate to http:/localhost/reports you should have this setting on either:
- Automatic logon only in Intranet zone; or
- Automatic logon with current username and password.
The difference between these two, according to Microsoft, is only evident if the server does not support NTLM Authentication:
The User Authentication option controls how HTTP user authentication is handled.
Logon. This option has the following settings:
- Anonymous logon. Disables HTTP authentication and uses the guest account only for authentication using the Common Internet File System (CIFS) protocol.
- Automatic logon only in Intranet zone. Prompts users for user IDs and passwords in other zones. After users are prompted, these values can be used silently for the remainder of the session.
- Automatic logon with current username and password. Attempts logon using Windows NT Challenge Response (also known as NTLM authentication), an authentication protocol between the client computer and the application server. If Windows NT Challenge Response is supported by the server, the logon uses the network user name and password for logon. If the server does not support Windows NT Challenge Response, users are prompted to provide their user names and passwords.
- Prompt for user name and password. Prompts users for user IDs and passwords. After users are prompted, these values can be used silently for the remainder of the session.
Unless you have edited your rsreportserver.config file and removed NTLM authentication from the list of <AuthenticationTypes>, your rsreportserver.config file will contain it and look something like:
In which case you will be indifferent between selecting
- Automatic logon only in Intranet zone; or
- Automatic logon with current username and password
for User Authentication to http://localhost/reports.
As a separate exercise, if you play around with the non-Custom levels using the slider under “Security level for this zone” and then check the “Custom levels…” you will notice that “Automatic logon with current username and password” is only used in the “Low” non-Custom level and “Prompt for user name and password” is only used in the “High” non-Custom level. All of the rest use “Automatic logon only in Intranet zone” and none uses “Anonymous logon” (ie. you specifically have to set this using “Custom level…”).
If you’ve followed the above, you should now be able to access http://localhost/reports without the annoying User Authentication prompt.