Hi Marc,
My name is Allen Chen. It's my pleasure to work with you on this issue.
My understanding to your question is like this:
" You have two servers. Server A is a Web Server, Server B runs Reporting
Service.
" You've assigned roles to a report. Say domain/UserA can browse the report
while domain/UserB cannot.
" domain/UserA and domain/UserB can both access the web page. In the web
page, you're using a ReportViewer control to show the report.
" Since domain/UserB has no permission to browse the report you don't want
to let him view the report. As to domain/UserA, he can view the report
normally.
If my understanding is correct, you can try following steps to do so:
1. Enable Basic Authentication for this web site in IIS and disable other
authentication.
2. Add following setting in web.config:
<system.web>
<identity impersonate="true"/>
...
</system.web>
Explanation:
Actually this is a double hop issue. The user viewing the page needs to
provide his credential. If the web site is using Windows Authentication
only the credential is passed to Server A. In that case, impersonation
cannot delegate the user. If the web site is using Basic Authentication the
password will be passed to server as well. Then Server A can work as a
delegation to impersonate the user to communicate with Server B.
Below are some articles related to this.
http://blogs.msdn.com/nunos/archive/2004/03/12/88468.aspx
http://drowningintechnicaldebt.com/blogs/shawnweisfeld/archive/2006/12/06/Th
e-_1C20_Double-Hop_1D20_-Issue.aspx
http://weblogs.asp.net/avnerk/archive/2004/09/22/232967.aspx
Please let me know if it works. If I misunderstood you please correct me
and clarify your requirement.
Regards,
Allen Chen
Microsoft Online Support
Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.
Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
