Last post Apr 17, 2014 10:05 AM by KGN
Aug 20, 2011 09:20 AM|hi_i_am_amit|LINK
We have an issue in our production environment where accessing the web service (ReportExecution2005) fails with with an 401 unauthorized error. If I access the http://<machine-name>/reportserver or http://<machine-name>/reports from a browser which is started
under the same account as the one used to make the above explained web service request, I am able to view the reportserver/reports pages.
On enabling the report server verbose and http logs, we see the below message in the report server log file
http!rshost !d6c!<date-time>:: v VERBOSE: Authentication failed with error state:
I was not able to find any detailed information about this error state.
Since SQL Server 2008 r2 uses httpsys operating system component for authentication, we enabled error logging for httpsys but surprising there were no log statements logging in the error file when we get this error. Does this mean the error occurs before
httpsys component is called?
Any inputs on this issue would be appreciated. Thank you.
Aug 20, 2011 10:17 AM|princeG|LINK
Please check here:
Aug 21, 2011 08:06 AM|hi_i_am_amit|LINK
Thanks for the reply. I had a look at each of the links which you shared and below are some conclusions
1. http://social.msdn.microsoft.com/Forums/en/sqlreportingservices/thread/c1b0f0a1-f2eb-4ef8-96f4-89f9bf5a54d2 - This link details about
a double hop issue which doesn't sound to be the case with me since the web service request fails even if it's executed on the sql server machine itself. Also the other fact is that browser request works.
2. http://msdn.microsoft.com/en-us/library/cc281309(v=sql.100).aspx - This link explains setting up Basic Authentication instead of using NTLM which looks like a security risk
and also would not help in understanding the root cause too right?
3. http://stackoverflow.com/questions/3809051/reporting-services-2008-http-status-401-unauthorized-issue - This link details about the "loopback
check" issue which doesn't seem to be the case with me since the web service request doesn't succeed on any machine. Loopback check issue mentions about the web service request failing
ONLY on the same machine as the ssrs server.
4. http://social.msdn.microsoft.com/Forums/en-US/sqlreportingservices/thread/bfae5c0c-40b2-4321-a59d-5ea3d2933f54 - This link also
details on enabling BASIC authentication instead of NTLM.
5. http://social.msdn.microsoft.com/Forums/en/sqlreportingservices/thread/9b2b96ac-b230-4a2e-a82d-596113688dad - This link didn't have
On futher troubleshooting the issue I enabled the netlogon service logs and found the below log statement
[CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
This indicates that an incorrect username or password is passed to the domain controller for authentication. I noticed a difference between the IP addresses of the sql server machine and the domain controller. The sql server machine has an IP address format
as 151.149.x.x and the domain controller has an ip address format -
148.162.x.x. Do you think this could cause an issue? If so, how should I troubleshoot the issue further.
Your suggestions on this topic are truely appreciated. Thank you
Aug 27, 2011 01:59 PM|hi_i_am_amit|LINK
On further troubleshooting, I realized that the NTLM protocol implementation used for authentication did not add the NTLM Response (or NTLM Hash) in the Type 3 message.
If the hash is computed, the authentication succeeds.
What configuration setting controls whether an emtpy NTLM hash is accepted or not?
Aug 31, 2011 10:03 AM|hi_i_am_amit|LINK
I found the root cause of the issue. The root cause was that the server and domain had NoLMHashPolicy configured. This meant that windows would not store the LM hash value of the password. Since the NTLM protocol implementation we computed only the LM hash
value and the NT Hash, the authentication failed.
The fix involves modifying the protocol implementation to compute the NT Response Hash before sending the Type3 message to the server.
Thanks for the help.
Apr 04, 2014 07:37 AM|sandeepsharma264|LINK
You have to set Network Credentials for access network Reporting Services.
Apr 17, 2014 10:05 AM|KGN|LINK
I am facing the similar issue. The reports are supposed to be run from the service account specified in webconfig file. But the application is unable to launch the reports and throws the 101 error. Authentication in th rsreportserver config file is RSWindowsNTLM.