none
ReportServer method in vti_bin appears to document entire site collection map to any authenticated user

    Question

  • SharePoint 2010 CU 12/2011

    SSRS 2008R2

    If I log in as a lowest of low priv user, and navigate to /vti_bin/reportserver, I see a complete list of site collections in the application.

    I'm testing the ramifications of putting the following in web.config, but wondered if there's something fundamentally wrong here. Does SSRS not security-trim based on current user? Are there other methods or services we should be concerned about?

      <location path="vti_bin/reportserver">
        <system.web>
          <authorization>
            <deny users="*" />
          </authorization>
        </system.web>
      </location>
      <location path="_vti_bin/reportserver">
        <system.web>
          <authorization>
            <deny users="*" />
          </authorization>
        </system.web>
      </location>
      <location path="_layouts/_vti_bin/reportserver">
        <system.web>
          <authorization>
            <deny users="*" />
          </authorization>
        </system.web>
      </location>

    Wednesday, June 26, 2013 5:41 PM

All replies

  • Hi FosterHardie,

    Thank you for your question.

    I am trying to involve someone more familiar with this topic for a further look at this issue. Sometime delay might be expected from the job transferring. Your patience is greatly appreciated.

    Thank you for your understanding and support.

    Thanks,
    Mike Yin

    If you have any feedback on our support, please click here


    Mike Yin
    TechNet Community Support

    Friday, June 28, 2013 10:00 AM
    Moderator
  • Hello FosterHardie,

    Please clarify with the below questions:

    1. What is the Authentication provider, option chosen for the application?
    Details can be found under Central Administration -> Application Management -> Manage Web Applications -> Authentication Providers

    2. What is the permission for the low privileged user in SharePoint?

    3. Details of patches installed with Build number for SSRS -> 10.50.XXXX

    Thanks

    Regards
    Durai Murugan

    Monday, July 01, 2013 5:31 PM
  • 1. Claims based authentication

    2. No group membership or other permissions granted to the root site. Read-only to one of many site collections in a managed path

    3. 10.50.2550.0

    Thanks.

    Tuesday, July 02, 2013 4:09 PM
  • Hello FosterHardie,

    Thanks for your response.

    I had tested with "Claims and Windows authentication" and it works as expected. And i am able to view the items only on which i have permissions. So we may need to further investigate on your case if it is not working as expected.

    From a support perspective, this is really beyond what we can do here in the forums. If you cannot determine your answer here or on your own, consider opening a support case with us. Visit this link to see the various support options that are available to better meet your needs:  http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone.

    If Microsoft determines that a problem is the result of a defect in a Microsoft product, you will not be charged for that incident.

    Regards

    Durai Murugan

    Wednesday, July 03, 2013 4:43 PM