Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Required configuration for Extended Protection in Reporting Services

Required configuration for Extended Protection in Reporting Services

Summary

Extended Protection is a set of enhancements to Windows Authentication.  For Reporting Services, two tags must be present within the rsreportserver.config file in order for Windows Authentication to work properly.  If these tags are not present, Windows Authentication will be disabled.

The two tags are RSWindowsExtendedProtectionLevel and RSWindowsExtendedProtectionScenario.

↑ Back to the top

More Information

The default location for rsreportserver.config in SQL Server 2008 R2 is C:\Program Files\Microsoft SQL Server\MSRS10_50.<Instance Name>\Reporting Services\ReportServer\bin; and in SQL Server 2012 is C:\Program Files\Microsoft SQL Server\MSRS11.<Instance Name>\Reporting Services\ReportServer\bin.

The RSWindowsExtendedProtectionLevel and RSWindowsExtendedProtectionScenario tags must be present within the rsreportserver.config for Windows Authentication requests to be accepted by the Report Server.  This does not mean that Extended Protection needs to be enabled, just that the tags are physically present.

                <Authentication>
                                <AuthenticationTypes>
                                                <RSWindowsNegotiate/>
                                                <RSWindowsNTLM/>
                                </AuthenticationTypes>
                                <RSWindowsExtendedProtectionLevel>Off</RSWindowsExtendedProtectionLevel>
                                <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario>
                                <EnableAuthPersistence>true</EnableAuthPersistence>
                </Authentication>

You may also see log entries similar to the following, if the above tags are not present:

configmanager!DefaultDomain!21f8!05/26/2010-21:50:39:: e ERROR: Missing or Invalid ExtendedProtectionLevel setting
rshost!rshost!1fe0!05/26/2010-21:50:40:: e ERROR: Invalid ExtendedProtectionPolicy specified.
rshost!rshost!1fe0!05/26/2010-21:50:40:: e ERROR: Invalid ExtendedProtectionPolicy specified.
servicecontroller!DefaultDomain!21f8!05/26/2010-21:50:40:: e ERROR: Error creating HTTP endpoint. System.ArgumentException: Value does not fall within the expected range.
   at Microsoft.ReportingServices.HostingInterfaces.IRsUnmanagedCallback.CreateHttpEndpoint(RsAppDomainType application, String[] urlPrefixes, Int32 cPrefixes, String[] hosts, Int32 cHosts, Boolean wildCardPresent, String virtualDirectory, String filePath, Int32 authType, Int32 logonMethod, String authDomain, String authRealm, Boolean authPersist, Int32 extendedProtectionLevel, Int32 extendedProtectionScenario, Boolean enabled)
   at Microsoft.ReportingServices.Library.ServiceAppDomainController.SetWebConfiguration(RunningApplication rsApplication, Boolean enabled, String folder)

For further information regarding Extended Protection in Reporting Services please refer to the Books Online documents for the HTTP Log - http://msdn.microsoft.com/en-us/library/ff487481(SQL.105).aspx.

 For more information about the products or tools that automatically check for this condition on your instance of SQL Server and on the versions of the SQL Server product, see the following table:

 

Rule software

Rule title

 Rule description

 Product versions against which the rule is evaluated 

SQL Server 2008 R2 Best Practice Analyzer (SQL Server 2008 R2 BPA)

Missing Extended Protection settings

The SQL Server 2008 R2 Best Practice Analyzer (SQL Server 2008 R2 BPA) provides a rule to detect when this setting is not present.  The SQL Server 2008 R2 BPA supports both SQL Server 2008 and SQL Server 2008 R2. If you run the BPA tool and encounter a Warning with the title of Reporting Services - Missing Extended Protection settings, this means that no Extended Protection tags are present in your configuration file for the given Reporting Services Instance.  Note that this rule only applies to Reporting Services 2008 R2.

The BPA rule looks for the RSWindowsExtendedProtectionLevel and RSWindowsExtendedProtectionScenario tags within the rsreportserver.config.

SQL Server 2008
SQL Server 2008 R2

SQL Server 2012 Best Practice Analyzer (SQL Server 2012 BPA)

Missing Extended Protection settings

The SQL Server 2012 Best Practice Analyzer (SQL Server 2012 BPA) provides a rule to detect when this setting is not present.If you run the BPA tool and encounter a Warning with the title of Reporting Services - Missing Extended Protection settings, this means that no Extended Protection tags are present in your configuration file for the given Reporting Services Instance.

The BPA rule looks for the RSWindowsExtendedProtectionLevel and RSWindowsExtendedProtectionScenario tags within the rsreportserver.config.

SQL Server 2012 

↑ Back to the top

Keywords: vkball, kb

↑ Back to the top

Article Info
Article ID : 2146062
Revision : 1
Created on : 1/8/2017
Published on : 4/3/2012
Exists online : False
Views : 757