CHAPTER 1 INTRODUCING THE REPORTING SERVICES ARCHITECTUREoutside Windows to access the report server. Since SSRS has multiple authentication points—namely, at
the report server level through http.sys and the data-access level, SQL, or Windows authentication—
specific security risks exist when altering the default Windows roles-based security model. For one,
http.sys would need to be set up to allow explicit access and custom validation of a user’s credentials.
Another risk is that SSRS can support only one security extension at a time. In other words, a single SSRS
report server can be extended to support a non-default authentication model or remain as a default
Windows authentication, but cannot take advantage of both models simultaneously. Depending on your
level of need for custom security—say, for example, you need to deploy SSRS on an Internet-facing
server, or your application already supports forms authentication, and it would be too difficult to work
within the constraints of Windows authentication—then you might need to consider a custom security
extension. Our needs were such that we could easily incorporate SSRS into an existing Windows
authentication model.
Another method of dealing with security is through a Windows or Web-based application that has
its own authentication layer. Using the ReportViewer control within the Visual Studio designer for
Windows and Web forms, you can use an application as a portal into the report server. As long as the
application handles security, you can give the application server access to the needed objects within
Reporting Services by using an Active Directory computer account like DOMAIN\ServerName$.
In this book, we’ll cover two deployment scenarios:
- Intranet deployment using Virtual Private Network (VPN) and firewall
technologies to allow access to the SSRS report server - An Internet-hosted application that uses Terminal Services to connect securely to
an SSRS report server
In Chapter 11, we’ll walk you through securing the SSRS deployment models with technologies that
provide the required encryption levels and user authentication. In addition to the two models that we
cover, we briefly discuss ways to integrate a forms-based authentication method allowing clients to
connect directly to SSRS via the Internet.
Summary
Having created and deployed numerous projects with SSRS for SQL Server 2005, 2008 and 2008 R2, we
have been anxiously awaiting, along with the rest of the SQL Server community, the release of SQL
Server 2012. As you work through the book, we will point out the enhancements released with SSRS 2008
R2 and SSRS 2012. However, our main aim, as with the other editions of the book, is to show you how to
take advantage of advanced features, providing useful examples, enabling you to put SSRS to work in a
real-world environment where the user of the reports and applications that you deploy will have the
final say on the solution’s success.