Is it possible to limit SSRS authentication to Kerberos only?

%3CLINGO-SUB%20id%3D%22lingo-sub-358146%22%20slang%3D%22en-US%22%3EIs%20it%20possible%20to%20limit%20SSRS%20authentication%20to%20Kerberos%20only%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358146%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20an%20instance%20of%20SSRS%20(SQL%20Server%20Reporting%20Services)%20which%20uses%20Kerberos%20Constrained%20Delegation%20to%20fetch%20data%20for%20its%20reports%20from%20SQL%20Server%20on%20behalf%20of%20its%20users.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFor%20this%20purpose%2C%20SSRS%20was%20configured%20to%20use%20%3CRSWINDOWSNEGOTIATE%3E%3C%2FRSWINDOWSNEGOTIATE%3E%20authentication%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Frob%2F2011%2F11%2F22%2Fenabling-kerberos-authentication-for-reporting-services%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eoption%3C%2FA%3E.%3C%2FP%3E%3CP%3EUnfortunately%2C%20this%20option%20allows%20NTLM%20sign-in%20as%20well.%20Users%20successfully%20login%20with%20NTLM%2C%20and%20then%20get%20an%20error%20when%20trying%20to%20launch%20a%20report%20(because%20the%20delegation%20obviously%20fails).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20is%20also%20%3CRSWINDOWSKERBEROS%3E%20option%2C%20but%20unfortunately%20it's%20not%20supported%20by%20browsers.%3C%2FRSWINDOWSKERBEROS%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat's%20even%20worth%2C%20after%20such%20NTLM%20login%20SSRS%20won't%20try%20for%20some%20period%20of%20time%20to%20get%20a%20Kerberos%20ticket%20on%20behalf%20of%20a%20user%20-%20even%20if%20the%20user%20now%20logs%20in%20using%20Kerberos%2C%20even%20from%20another%20browser%20or%20from%20another%20station.%20I%20guess%2C%20this%20is%20because%20SSRS%20launches%20some%20session%20object%20for%20the%20user%20after%20successful%20login%2C%20and%20associates%20new%20logins%20to%20this%20session%20-%20so%20until%20it%20expires%20(in%20~10%20minutes)%2C%20no%20delegation%20would%20be%20attempted.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20to%20make%20NTLM%20logins%20fail%2C%20or%20at%20least%20give%20user%20a%20warning%20that%20he%20should%20close%20his%20browser%2C%20wait%20for%20some%20time%20and%20re-login%20by%20Kerberos%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Visitor

We have an instance of SSRS (SQL Server Reporting Services) which uses Kerberos Constrained Delegation to fetch data for its reports from SQL Server on behalf of its users.

 

For this purpose, SSRS was configured to use <RSWindowsNegotiate/> authentication option.

Unfortunately, this option allows NTLM sign-in as well. Users successfully login with NTLM, and then get an error when trying to launch a report (because the delegation obviously fails).

 

There is also <RSWindowsKerberos> option, but unfortunately it's not supported by browsers.

 

What's even worth, after such NTLM login SSRS won't try for some period of time to get a Kerberos ticket on behalf of a user - even if the user now logs in using Kerberos, even from another browser or from another station. I guess, this is because SSRS launches some session object for the user after successful login, and associates new logins to this session - so until it expires (in ~10 minutes), no delegation would be attempted.

 

Is there a way to make NTLM logins fail, or at least give user a warning that he should close his browser, wait for some time and re-login by Kerberos?

0 Replies