1,Service Account
SSRS以一个Service方式实现,有三部分组成:Web Service,Report Manager和一个后台的进程,这个Service运行的账号就是Service Account。虽然Report Server Web service and Report Manager都是Asp.net应用程序,但是他们并不运行在Asp.net应用程序的 Account(在 Application Pool 中配置 Identity)下,Report Server Web service and Report Manager 使用的都是Service Account,并且拥有相同的Process Identity。
Reporting Services is implemented as a single service that contains a Report Server Web service, Report Manager, and a background processing application that is used for scheduled report processing and subscription delivery.
In a Reporting Services installation, the Report Server Web service, Report Manager, and the background processing application run within a single service. The account under which the service runs is defined during Setup when you specify the account in the Service Identity page, but you can use the Reporting Services Configuration tool if you want use a different account or update the password.
Use the Service Account page to specify the account under which the Report Server service runs. This account is initially configured during Setup. You can modify it if you want to change the account or password. The Report Server Web service, Report Manager, and the background processing application all run under the service identity you specify on this page.
The Report Server service account is defined during Setup. You can run the service under a domain user account or a built-in such as NetworkService account. There is no default account; whatever account you specify in the Server Configuration - Service Accounts page of the Installation Wizard becomes the initial account of the Report Server service.
|
Important |
|
Although the Report Server Web service and Report Manager are ASP.NET applications, they do not run under the ASP.NET account. The single service architecture runs both ASP.NET applications within the same Report Server process identity. This is an important change from previous releases, where both the Report Server Web service and Report Manager ran under the ASP.NET worker process identity specified in IIS. |
在IIS的 Application Pool 中配置 Identity,即Web application运行的account。
2,Service Account的作用和权限
Service Account必须能够访问和注册Report Server Database。
The account you specify for the Report Server service requires permission to access the registry, report server program files, and the report server database. All permissions are configured for the account automatically when you use the Reporting Services Configuration Manager to set the account. If you use the service account to connect to the report server database, the Configuration Manager creates a database login for the account and configures database permissions by assigning the account to the RSExecRole on the SQL Server instance that hosts the report server database. The report server database is the only data store that a report server writes to. The service account does not require permissions to any other data stores.
3,Change Service Account
推荐使用Reporting Services Configuration Manager修改Service Account。
Whenever you need to update the account or password, it is strongly recommended that you use the Reporting Services Configuration Manager. Using the Configuration Manager to update the account ensures that other internal settings that depend on the service identity are automatically updated at the same time.
Use a built-in account
Select Network Service, Local System, or Local Service from the list. Only Network Service is recommended; however, you can configure the account to use any account that is available.
Use another account
Select this option to specify a Windows user account. You can enter a local Windows user account or domain user account. Specify a domain account in this format: <domain>\<user>. Specify a local Windows user account in this format: <computer name>\<user>. You can only select an existing account; you cannot create new accounts in Reporting Services Configuration.
The maximum character limit on the account is 20 characters.
If your network uses Kerberos authentication and you configure the report server to run under a domain user account, you must register the service with the user account. For more information, see Register a Service Principal Name (SPN) for a Report Server.
4,切换账号时,必须备份encryption key,并指定加锁和解锁的密码。
If you switch the account type (for example, replacing one Windows account with another or replacing a built-in account with a Windows domain account), you will be prompted to create a backup copy of the encryption key. The backup copy will be restored automatically when you select the new account.
|
Note |
|
The Reporting Services Configuration manager prompts you to back up and restore the encryption key whenever you modify the service account. These steps are necessary for ensuring that encrypted data remains available to the report server. For more information about these actions, see Encryption Keys (SSRS Native Mode). |
Additionally, if you have a report server that is configured to run in SharePoint Integrated mode and you change the service account by using the Reporting Services Configuration Manager, you must also open SharePoint Central Administration and use the Reporting Services Grant Database Access page to re-apply the report server and instance settings. This step will grant the new service account access to the SharePoint databases, which is required for integrating Reporting Services with a SharePoint product or technology. For more information about how to grant database access in SharePoint Central Administration, see Configuration and Administration of a Report Server (Reporting Services SharePoint Mode) and Reporting Services SharePoint Mode Installation (SharePoint 2010 and SharePoint 2013).
5,Choosing an Account
For best results, specify an account that has network connection permissions, with access to network domain controllers and corporate SMTP servers or gateways. The following table summarizes the accounts and provides recommendations for using them.
|
Account |
Explanation |
|
Domain user accounts |
If you have a Windows domain user account that has the minimum permissions required for report server operations, you should use it. A domain user account is recommended because it isolates the Report Server service from other applications. Running multiple applications under a shared account, such as Network Service, increases the risk of a malicious user taking control of the report server because a security breach for any one application can easily extend to all applications that run under the same account. A domain user account is required if you are configuring the report server for constrained delegation, or for SharePoint integrated mode with SharePoint 2010 Products which require domain user accounts rather than built-in machine accounts. Note that if you use a domain user account, you will have to change the password periodically if your organization enforces a password expiration policy. You might also need to register the service with the user account. For more information, see Register a Service Principal Name (SPN) for a Report Server. Avoid using a local Windows user account. Local accounts typically do not have sufficient permission to access resources on other computers. For more information about how using a local account limits report server functionality, see Considerations for Using Local Accounts in this topic. |
|
Network Service |
Network Service is a built-in least-privilege account that has network logon permissions. This account is recommended if you do not have a domain user account available or if you want to avoid any service disruptions that might occur as a result of password expiration policies. If you select Network Service, try to minimize the number of other services that run under the same account. A security breach for any one application will compromise the security of all other applications that run under the same account. |
|
Local Service |
Local Service is a built-in account that is like an authenticated local Windows user account. Services that run as the Local Service account access network resources as a null session with no credentials. This account is not appropriate for intranet deployment scenarios where the report server must connect to a remote report server database or a network domain controller to authenticate a user prior to opening a report or processing a subscription. |
|
Local System |
Local System is a highly privileged account that is not required for running a report server. Avoid this account for report server installations. Choose a domain account or Network Service instead. |
6,Considerations for Using Local Accounts
The primary consideration for using local accounts is whether the report server requires access to remote database servers, mail servers, and domain controllers. If you configure the report server to run as a local Windows user account, Local Service, or Local System, you introduce considerations that must be factored into how you set other configuration settings, and on subscription creation and delivery:
- Running the service under a local account will limit your options later if you configure a connection to a remote report server database. Specifically, if you are using a remote report server database, you will have to configure the connection to use a domain user account or SQL Server database user that has permission to log on to the remote SQL Server instance.
- Running the service under a local account will introduce new requirements on subscription creation. The report server stores information about the user who creates the subscription. If the user creates the subscription while logged on under a domain account, the Report Server service will try to connect to a domain controller to authenticate the user when the subscription is processed. If the service runs under a local account, the authentication request will fail when the report server tries to send the request to a remote domain controller. To work around this limitation, you can use a custom forms-based authentication extension or have all users connect to a report server under a local user account.
- Running the service under a local account will introduce new requirements for subscription delivery. Some delivery extensions have user account information in the subscription definition. If you are sending reports to e-mail addresses that are based on domain user accounts and you run the Report Server service under a local account, it cannot access a remote domain controller to resolve the target e-mail account.
- Built-in Windows service accounts (Local Service or Network Service) are not supported as report server service accounts on a computer that is a domain controller.