Constrained Delegation for SSRS

I am having a problem implementing constrained delegation for SSRS. I have followed the (very good) instructions located here:

http://sqlblogcasts.com/blogs/stevechowles/archive/2007/06/08/reporting-services-2005-for-the-dba-iis-security.aspx

I have chosen the option of running the application pool for SSRS under a domain user account. This is the same account that I use to run the SSRS service.

I have the authentication providers for the site set to "Negotiate,NTLM".

I also made sure that the application pool user account has rights on the ReportManager and ReportServer directories.

If browse to the URL while logged on to the SSRS server then I am able to access the site

My problem is when I try to access the site from anywhere but locally on the SSRS server:

I get a logon prompt if I try to access the SSRS URL from a different workstation. After three tries to login I get: "You are not authorized to view this page". Even with an account that is local admin on the SSRS Server. If I set the authentication providers for the site to "NTLM" then I am able to access the site from a different workstation but of couse constrained delegation does not work.

Have i overlooked something? What could be causing the login prompt?

Can you tell us a bit more about what you trying to achieve? Do you have an ASP.NET application which needs to integrate with SSRS with a trusted account? If so, you need to set the app pool of the application to the Windows account SSRS will trust.

|||

Hello Teo,

I have solved the problem but am not sure I understand 100% why. I am using a host header for my SSRS site and I had created two SPNs for the host header. I then created two additional SPNs: One for the net bios name of the SSRS host and one for the FQDN of the host. This solved the problem. So I apparently need four SPNs for the SSRS site when using host headers...

BTW, I love your book on SSAS. Much better than one of the others by a well known publisher which I also bought.