locked
ssrs app pool vs reporting services app pool RRS feed

  • Question

  • I presume the recommended identities for the two SSRS app pools are as follows:
    1) Network Service for the Reporting Services App since it may be involved in the install of Report Builder?  And the Reporting Services App is tied to the <http://>Reports URL
    2) A domain account for SSRS App?  And the SSRS App is tied to the <http://>ReportServer URL?

    So in short my question is what is the best practice regarding identity assignment for the two SSRS app pools.  Thanks.

    Friday, October 16, 2009 6:30 PM

Answers

  • Hi Bob,

     

    Which user to be used is based on the access required.

     

    If we need to visit other resource which is not on the report server, please do not use "Local Service".

    Services that run as the Local Service account access network resources as a null session with no credentials.

     

    Local System is a highly privileged account that is not required for running a report server.

     

    Choose a domain account or Network Service instead.

     

    The Report Manager uses the same application pool of Report Server.

     

    Thanks,

    Jin Chen


    Jin Chen - MSFT
    • Marked as answer by Bob Harford Tuesday, October 20, 2009 1:05 PM
    Tuesday, October 20, 2009 9:08 AM

All replies

  • Hi Bob,

     

    It will help if you could elaborate a bit more about the question.

     

    http://<report server name>/reports is the URL of the Report Manager.

    Report Manager is a Web-based report access and management tool that you use to administer a single report server instance from a remote location over an HTTP connection. You can also use Report Manager for its report viewer and navigation features.

    http://<report server name>/reportserver_<instance> is the URL of the Report Server.

    The report server is the central component of a Reporting Services installation. It consists of a pair of core processors plus a collection of special-purpose extensions that handle authentication, data processing, rendering, and delivery operations. Processors are the hub of the report server. The processors support the integrity of the reporting system and cannot be modified or extended. Extensions are also processors, but they perform very specific functions. Reporting Services includes one or more default extensions for every type of extension that is supported. You can add custom extensions to a report server. Doing so allows you to extend a report server to support features that are not supported out of the box; examples of custom functionality might include support for single sign-on technologies, report output in application formats that are not already handled by the default rendering extensions, and report delivery to a printer or application.

     

    So, there is no reason for which identity to be used if we are going to use Report Manager or Report Server.

     

    For best results, specify an account that has network connection permissions, with access to network domain controllers and corporate SMTP servers or gateways. The following table summarizes the accounts and provides recommendations for using them.

    Account

    Explanation

    Domain user accounts

    If you have a Windows domain user account that has the minimum permissions required for report server operations, you should use it.

    A domain user account is recommended because it isolates the Report Server service from other applications. Running multiple applications under a shared account, such as Network Service, increases the risk of a malicious user taking control of the report server because a security breach for any one application can easily extend to all applications that run under the same account.

    A domain user account is required if you are configuring the report server for constrained delegation, or for a specific configuration in SharePoint integrated mode where the report server, report server database, and the SharePoint configuration and content databases are on one computer, and the SharePoint Web application is on a second computer.

    Note that if you use a domain user account, you will have to change the password periodically if your organization enforces a password expiration policy. You might also need to register the service with the user account. For more information, see How to: Register a Service Principal Name (SPN) for a Report Server.

    Avoid using a local Windows user account. Local accounts typically do not have sufficient permission to access resources on other computers. For more information about how using a local account limits report server functionality, see Considerations for Using Local Accounts in this topic.

    Network Service

    Network Service is a built-in least-privilege account that has network logon permissions. This account is recommended if you do not have a domain user account available or if you want to avoid any service disruptions that might occur as a result of password expiration policies.

    If you select Network Service, try to minimize the number of other services that run under the same account. A security breach for any one application will compromise the security of all other applications that run under the same account.

    Local Service

    Local Service is a built-in account that is like an authenticated local Windows user account. Services that run as the Local Service account access network resources as a null session with no credentials. This account is not appropriate for intranet deployment scenarios where the report server must connect to a remote report server database or a network domain controller to authenticate a user prior to opening a report or processing a subscription.

    Local System

    Local System is a highly privileged account that is not required for running a report server. Avoid this account for report server installations. Choose a domain account or Network Service instead.

     

    For more information, please see:

    Report Manager: http://msdn.microsoft.com/en-us/library/ms157147.aspx

    Report Server: http://msdn.microsoft.com/en-us/library/ms157231.aspx

    Service Account (Reporting Services Configuration): http://msdn.microsoft.com/en-us/library/ms189964(SQL.90).aspx

     

    Please feel free to ask, if you have any more questions.

     

    Thanks,

    Jin Chen


    Jin Chen - MSFT
    Monday, October 19, 2009 7:09 AM
  • Jim,


    Thanks for the reply, I'll try to elaborate more.

    If I start IIS Manager, right click on the Application Pool associated with Report Manager, click on the Identity tab, what is the value that I should put for "Select a security account for this application pool." I assume that it is should not be Local System, but maybe Network Service?  Same question for the Application Pool associated with the Report Server (assuming they are running under different application pools).

    Thanks.

    --Bob Harford

    Monday, October 19, 2009 6:35 PM
  • Hi Bob,

     

    Which user to be used is based on the access required.

     

    If we need to visit other resource which is not on the report server, please do not use "Local Service".

    Services that run as the Local Service account access network resources as a null session with no credentials.

     

    Local System is a highly privileged account that is not required for running a report server.

     

    Choose a domain account or Network Service instead.

     

    The Report Manager uses the same application pool of Report Server.

     

    Thanks,

    Jin Chen


    Jin Chen - MSFT
    • Marked as answer by Bob Harford Tuesday, October 20, 2009 1:05 PM
    Tuesday, October 20, 2009 9:08 AM