SecurityException when running reports with Report Viewer

Discussion:

(too old to reply)

ZWeng

2006-10-24 14:20:02 UTC

I have a simple asp.net 2.0 page using Report Viewer to render reports from
SQL Server 2005 Reporting Services.

The report itself has input as criteria for search. It seems fine to get to
the report page. Once the page takes the input and clicked on the View
Report button, the following error is shown:

--------------------
Security Exception
Description: The application attempted to perform an operation not allowed
by the security policy. To grant this application the required permission
please contact your system administrator or change the application's trust
level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the
permission of type 'System.Security.Permissions.EnvironmentPermission,
mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
failed.

Stack Trace:

[SecurityException: Request for the permission of type
'System.Security.Permissions.EnvironmentPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
System.Security.CodeAccessSecurityEngine.Check(Object demand,
StackCrawlMark& stackMark, Boolean isPermSet) +0
System.Security.CodeAccessPermission.Demand() +59
System.Net.CredentialCache.get_DefaultCredentials() +59
Microsoft.Reporting.WebForms.ServerReport.get_ServerNetworkCredentials()
+26
Microsoft.Reporting.WebForms.ServerReport.get_Service() +89
Microsoft.Reporting.WebForms.ServerReport.GetExecutionInfo() +106
Microsoft.Reporting.WebForms.ServerReport.GetParameters() +65
_Default.run() +61
_Default.Page_Load(Object sender, EventArgs e) +246
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o,
Object t, EventArgs e) +15
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender,
EventArgs e) +34
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +47
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6953
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint,
Boolean includeStagesAfterAsyncPoint) +154
System.Web.UI.Page.ProcessRequest() +86
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
System.Web.UI.Page.ProcessRequestWithAssert(HttpContext context) +36
System.Web.UI.Page.ProcessRequest(HttpContext context) +2010714
ASP.default_aspx.ProcessRequest(HttpContext context) +4

System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +154
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +64

Does anyone know what was wrong here?

Thank you.

Devin

2006-10-24 16:32:03 UTC

Permalink

Is your web page and reporting services on the same web server? If not, you
are probably getting the "double hop" issue. You can google "double hop" and
you'll find you're not the only one.

Devin

Post by ZWeng
I have a simple asp.net 2.0 page using Report Viewer to render reports from
SQL Server 2005 Reporting Services.
The report itself has input as criteria for search. It seems fine to get to
the report page. Once the page takes the input and clicked on the View
--------------------
Security Exception
Description: The application attempted to perform an operation not allowed
by the security policy. To grant this application the required permission
please contact your system administrator or change the application's trust
level in the configuration file.
Exception Details: System.Security.SecurityException: Request for the
permission of type 'System.Security.Permissions.EnvironmentPermission,
mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
failed.
[SecurityException: Request for the permission of type
'System.Security.Permissions.EnvironmentPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
System.Security.CodeAccessSecurityEngine.Check(Object demand,
StackCrawlMark& stackMark, Boolean isPermSet) +0
System.Security.CodeAccessPermission.Demand() +59
System.Net.CredentialCache.get_DefaultCredentials() +59
Microsoft.Reporting.WebForms.ServerReport.get_ServerNetworkCredentials()
+26
Microsoft.Reporting.WebForms.ServerReport.get_Service() +89
Microsoft.Reporting.WebForms.ServerReport.GetExecutionInfo() +106
Microsoft.Reporting.WebForms.ServerReport.GetParameters() +65
_Default.run() +61
_Default.Page_Load(Object sender, EventArgs e) +246
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o,
Object t, EventArgs e) +15
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender,
EventArgs e) +34
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +47
System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6953
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint,
Boolean includeStagesAfterAsyncPoint) +154
System.Web.UI.Page.ProcessRequest() +86
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +18
System.Web.UI.Page.ProcessRequestWithAssert(HttpContext context) +36
System.Web.UI.Page.ProcessRequest(HttpContext context) +2010714
ASP.default_aspx.ProcessRequest(HttpContext context) +4
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +154
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +64
Does anyone know what was wrong here?
Thank you.

ZWeng

2006-10-24 16:36:03 UTC

Permalink

The web page and hte reporting services are on the same box.

Thank you anyway, Devin.

Post by Devin
Is your web page and reporting services on the same web server? If not, you
are probably getting the "double hop" issue. You can google "double hop" and
you'll find you're not the only one.
Devin

Devin

2006-10-24 16:43:01 UTC

Permalink

Is your ASP.NET website using impersonation of any kind or is it using
anonymous user? Can you post some code so we can see how you are openning
the report?

Post by ZWeng
The web page and hte reporting services are on the same box.
Thank you anyway, Devin.

ZWeng

2006-10-25 13:22:02 UTC

Permalink

In the Web.config file, I set the impersonation as
<identity impersonate="true" userName="username" password="password"/>
with "username" been a local account on the box. This account also has
proper access to the local directory where the asp.net files are located and
C$\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files. This
account is also granted as "Browser" from the Reports/Securities settings.

Then in the aspx page, there is just a ReportViewer Control:
<body>
<form id="form1" runat="server">
<div>
rsweb:ReportViewer ID="ReportViewer1" runat="server">
</rsweb:ReportViewer>
</div>
</form>
</body>

in the aspx.cs code behind file, these settings are there:

ReportViewer1.ServerReport.ReportServerUrl = new Uri
("corretReportServerUrl");
ReportViewer1.ServerReport.ReportPath = "correctPathofReport";
ReportViewer1.ProcessingMode =
Microsoft.Reporting.WebForms.ProcessingMode.Remote;
ReportViewer1.Width = new Unit("100%");
ReportViewer1.Height = new Unit("100%");
ReportViewer1.ShowRefreshButton = true;
ReportViewer1.ShowFindControls = true;
ReportViewer1.ShowToolBar = true;
ReportViewer1.ShowZoomControl = true;
ReportViewer1.SizeToReportContent = true;

if (Page.IsPostBack)
{
//iterate through parameters and construct a new array which
will take the
//user entered values
}

ReportViewer1.ServerReport.Refresh();

A couple of more points I would like to add:
1. this settings have been working fine in the past few months till recently
the server was updated with other stuff(not sure what was put on the server),
and the reporting page stopped working.
2. THE initial aspx reporting page with query input was rendered OK. It
errors out only after user types in search query and click the "View Report"
button. I think after the View Report Button is clicked, the ReportServer
API via ReportService webservice is called and the security for the
webservice call is not configured correctly.

I am not sure whether my guess is right. Any suggestion will be appreciated.

Post by Devin
Is your ASP.NET website using impersonation of any kind or is it using
anonymous user? Can you post some code so we can see how you are openning
the report?

Devin

2006-10-25 16:22:02 UTC

Permalink

OK, so it used to work, that narrows down a few things. Can you view the
report through the RS website? Also, did you check the RS configuration on
the server to make sure that you see the green checks all the way down? If
the RS website works, have you tried logging in locally to the web server
with the account you are impersonating in asp.net and trying to view the
report through the website with that account?

Post by ZWeng
In the Web.config file, I set the impersonation as
<identity impersonate="true" userName="username" password="password"/>
with "username" been a local account on the box. This account also has
proper access to the local directory where the asp.net files are located and
C$\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files. This
account is also granted as "Browser" from the Reports/Securities settings.
<body>
<form id="form1" runat="server">
<div>
rsweb:ReportViewer ID="ReportViewer1" runat="server">
</rsweb:ReportViewer>
</div>
</form>
</body>
ReportViewer1.ServerReport.ReportServerUrl = new Uri
("corretReportServerUrl");
ReportViewer1.ServerReport.ReportPath = "correctPathofReport";
ReportViewer1.ProcessingMode =
Microsoft.Reporting.WebForms.ProcessingMode.Remote;
ReportViewer1.Width = new Unit("100%");
ReportViewer1.Height = new Unit("100%");
ReportViewer1.ShowRefreshButton = true;
ReportViewer1.ShowFindControls = true;
ReportViewer1.ShowToolBar = true;
ReportViewer1.ShowZoomControl = true;
ReportViewer1.SizeToReportContent = true;
if (Page.IsPostBack)
{
//iterate through parameters and construct a new array which
will take the
//user entered values
}
ReportViewer1.ServerReport.Refresh();
1. this settings have been working fine in the past few months till recently
the server was updated with other stuff(not sure what was put on the server),
and the reporting page stopped working.
2. THE initial aspx reporting page with query input was rendered OK. It
errors out only after user types in search query and click the "View Report"
button. I think after the View Report Button is clicked, the ReportServer
API via ReportService webservice is called and the security for the
webservice call is not configured correctly.
I am not sure whether my guess is right. Any suggestion will be appreciated.

Post by Devin
Is your ASP.NET website using impersonation of any kind or is it using
anonymous user? Can you post some code so we can see how you are openning
the report?

ZWeng

2006-10-26 13:18:01 UTC

Permalink

Devin,
Thank you for the suggestions. I checked the following things.
1. I can view the reports through RS Website.
2. RS configuratioin on the server shows green checks except Encryption
Keys, which showed Exclamation sign.
3. I was able to login with the account used in the impersonation and view
the reports successfully through RS website.

With all the things checked, the report is still not working.

Thank you

Post by Devin
OK, so it used to work, that narrows down a few things. Can you view the
report through the RS website? Also, did you check the RS configuration on
the server to make sure that you see the green checks all the way down? If
the RS website works, have you tried logging in locally to the web server
with the account you are impersonating in asp.net and trying to view the
report through the website with that account?

Devin

2006-10-27 15:55:02 UTC

Permalink

OK, this is very odd, and I'll admit that I'm running out of ideas. I just
have a couple of other questions.

1) Is this a local copy of SQL Server or is there a separate DB server?
- I'm assuming since it's RS 2005, it's SQL 2005 correct?
2) What credentials does the report's data source use?
- If this is set to "Windows integrated security", try setting it
to "Credentials stored securely in the report server" and
check the box for "Use as Windows credentials when
connecting to the data source".
- Just to get permissions out of the way during testing, give
that user the db_owner role for the database in which
the report is hitting.

Devin

Post by ZWeng
Devin,
Thank you for the suggestions. I checked the following things.
1. I can view the reports through RS Website.
2. RS configuratioin on the server shows green checks except Encryption
Keys, which showed Exclamation sign.
3. I was able to login with the account used in the impersonation and view
the reports successfully through RS website.
With all the things checked, the report is still not working.
Thank you

ZWeng

2006-10-27 16:25:03 UTC

Permalink

Devin,
Thank you for the suggestions. Let me answer your questions first and then
tell you what we found.
1. I may not stated clearly in the past postings, the report services and
the web page are on the same box, but the data source for the reporting
services is a SQL 2000 on a separate box.
2. the credentials for report's data source has limited access to the
database and I don't have control over it. But this account seems to be
working fine.

What we found at the end was by granting the impersonation account
"username" with admin rights on the box will allow the web page to query and
render reports correctly. Even this is a temporary solution, this doesnt
seem to be appropriate by granting more rights than needed. This account
never had admin rights when it used to work.

Any further suggestions why this account needs admin rights now in order to
call the RS and render reports while it was working OK with limited rights
before?

Thank you.

zweng

Post by Devin
OK, this is very odd, and I'll admit that I'm running out of ideas. I just
have a couple of other questions.
1) Is this a local copy of SQL Server or is there a separate DB server?
- I'm assuming since it's RS 2005, it's SQL 2005 correct?
2) What credentials does the report's data source use?
- If this is set to "Windows integrated security", try setting it
to "Credentials stored securely in the report server" and
check the box for "Use as Windows credentials when
connecting to the data source".
- Just to get permissions out of the way during testing, give
that user the db_owner role for the database in which
the report is hitting.
Devin