SSRS 2008R2 SP1 CU5 Integration with SiteMinder


  • Having SSRS 2008R2SP1 CU5 installed and validated at baseline, I began engineering a Authentication Extension to "passthru" SMSESSION cookies from SiteMinder.

    Understanding that SSRS now operates under HTTP.SYS which doesn't play nice with the SiteMinder WebAgent, what is the best way to validate a current SMSESSION and obtain the SM_USER from the parent portal running on IIS? Since these are two different platforms how should this be solved?

    1. User clicks SSRS link (bookmark or other site). 
    2. SMSESSION Cookie not found--user presented with Unauthorized--must log into portal.
    3. With valid session, user clicks on link...

    Q. What should the Extension do to take the SMSESSION [On the SAME domain] and SMUSER to the SSRS session?

    Hopefully, this makes sense--any tips/clues would be extremely helpful!


    Thursday, March 28, 2013 8:42 PM

All replies

  • Hi BK,

    In Reporting Services, the primary way to authenticate against a report server in Reporting Services is the LogonUser method which is used to pass user credentials to a report server for validation. Here are the authentication flow:

    1. A client application calls the Web service LogonUser method to authenticate a user.
    2. The Web service makes a call to the LogonUser method of your security extension, specifically, the class that implements IAuthenticationExtension.
    3. Your implementation of LogonUser validates the user name and password in the user store or security authority.
    4. Upon successful authentication, the Web service creates a cookie and manages it for the session.
    5. The Web service returns the authentication ticket to the calling application on the HTTP header.


    Hope this helps.

    Mike Yin

    If you have any feedback on our support, please click here

    Mike Yin
    TechNet Community Support

    Monday, April 01, 2013 3:31 AM
  • Thanks Mike for your quick reply! It is appreciated.

    Understood on LogonUser--however, my custom authorization is very much so...  ;-)  My users will only be using a Smart Card certificate--no username/password.  So, I assume that I will be sending in "approved" "dummy" credentials for the LogonUser method.  My dilema is how to pass in the SMSESSION cookie "authorization token" received after the user's SmartCard credentials are verified...  Just not sure how to package that to be passed around for the followon reporting requests during the session.  I've seen some blogs where this is being done, but I've not been successful thus far.

    Does this make sense?


    Monday, April 01, 2013 12:48 PM