Reporting Service 配置Service Account

1,Service Account

SSRS以一个Service方式实现,有三部分组成:Web Service,Report Manager和一个后台的进程,这个Service运行的账号就是Service Account。虽然Report Server Web service and Report Manager都是Asp.net应用程序,但是他们并不运行在Asp.net应用程序的 Account(在 Application Pool 中配置 Identity)下,Report Server Web service and Report Manager 使用的都是Service Account,并且拥有相同的Process Identity。

Reporting Services is implemented as a single service that contains a Report Server Web service, Report Manager, and a background processing application that is used for scheduled report processing and subscription delivery.

In a Reporting Services installation, the Report Server Web service, Report Manager, and the background processing application run within a single service. The account under which the service runs is defined during Setup when you specify the account in the Service Identity page, but you can use the Reporting Services Configuration tool if you want use a different account or update the password.

Use the Service Account page to specify the account under which the Report Server service runs. This account is initially configured during Setup. You can modify it if you want to change the account or password. The Report Server Web service, Report Manager, and the background processing application all run under the service identity you specify on this page.

The Report Server service account is defined during Setup. You can run the service under a domain user account or a built-in such as NetworkService account. There is no default account; whatever account you specify in the Server Configuration - Service Accounts page of the Installation Wizard becomes the initial account of the Report Server service.


                                                                      Important


Although the Report Server Web   service and Report Manager are ASP.NET applications, they do not run under   the ASP.NET account. The single service architecture runs both ASP.NET   applications within the same Report Server process identity. This is an   important change from previous releases, where both the Report Server Web   service and Report Manager ran under the ASP.NET worker process identity   specified in IIS.

在IIS的 Application Pool 中配置 Identity,即Web application运行的account。

2,Service Account的作用和权限

Service Account必须能够访问和注册Report Server Database。

The account you specify for the Report Server service requires permission to access the registry, report server program files, and the report server database. All permissions are configured for the account automatically when you use the Reporting Services Configuration Manager to set the account. If you use the service account to connect to the report server database, the Configuration Manager creates a database login for the account and configures database permissions by assigning the account to the RSExecRole on the SQL Server instance that hosts the report server database. The report server database is the only data store that a report server writes to. The service account does not require permissions to any other data stores.

3,Change Service Account

推荐使用Reporting Services Configuration Manager修改Service Account。

Whenever you need to update the account or password, it is strongly recommended that you use the Reporting Services Configuration Manager. Using the Configuration Manager to update the account ensures that other internal settings that depend on the service identity are automatically updated at the same time.

Use a built-in account

Select Network Service, Local System, or Local Service from the list. Only Network Service is recommended; however, you can configure the account to use any account that is available.

Use another account

Select this option to specify a Windows user account. You can enter a local Windows user account or domain user account. Specify a domain account in this format: <domain>\<user>. Specify a local Windows user account in this format: <computer name>\<user>. You can only select an existing account; you cannot create new accounts in Reporting Services Configuration.

The maximum character limit on the account is 20 characters.

If your network uses Kerberos authentication and you configure the report server to run under a domain user account, you must register the service with the user account. For more information, see Register a Service Principal Name (SPN) for a Report Server.

4,切换账号时,必须备份encryption key,并指定加锁和解锁的密码。

If you switch the account type (for example, replacing one Windows account with another or replacing a built-in account with a Windows domain account), you will be prompted to create a backup copy of the encryption key. The backup copy will be restored automatically when you select the new account.



     Note


The Reporting Services Configuration manager prompts you   to back up and restore the encryption key whenever you modify the service   account. These steps are necessary for ensuring that encrypted data remains   available to the report server. For more information about these actions, see   Encryption   Keys (SSRS Native Mode).

Additionally, if you have a report server that is configured to run in SharePoint Integrated mode and you change the service account by using the Reporting Services Configuration Manager, you must also open SharePoint Central Administration and use the Reporting Services Grant Database Access page to re-apply the report server and instance settings. This step will grant the new service account access to the SharePoint databases, which is required for integrating Reporting Services with a SharePoint product or technology. For more information about how to grant database access in SharePoint Central Administration, see Configuration and Administration of a Report Server (Reporting Services SharePoint Mode) and Reporting Services SharePoint Mode Installation (SharePoint 2010 and SharePoint 2013).

5,Choosing an Account

For best results, specify an account that has network connection permissions, with access to network domain controllers and corporate SMTP servers or gateways. The following table summarizes the accounts and provides recommendations for using them.


Account


Explanation


Domain user accounts


If you have a Windows domain user account that has the   minimum permissions required for report server operations, you should use it.

A domain user account is recommended because it isolates   the Report Server service from other applications. Running multiple   applications under a shared account, such as Network Service, increases the   risk of a malicious user taking control of the report server because a security   breach for any one application can easily extend to all applications that run   under the same account.

A domain user account is required if you are configuring   the report server for constrained delegation, or for SharePoint integrated   mode with SharePoint 2010 Products which require domain user accounts rather   than built-in machine accounts.

Note that if you use a domain user account, you will have   to change the password periodically if your organization enforces a password   expiration policy. You might also need to register the service with the user   account. For more information, see Register a   Service Principal Name (SPN) for a Report Server.

Avoid using a local Windows user account. Local accounts   typically do not have sufficient permission to access resources on other   computers. For more information about how using a local account limits report   server functionality, see Considerations   for Using Local Accounts in this topic.


Network Service


Network Service is a built-in least-privilege account that   has network logon permissions. This account is recommended if you do not have   a domain user account available or if you want to avoid any service   disruptions that might occur as a result of password expiration policies.

If you select Network Service, try to minimize the number   of other services that run under the same account. A security breach for any   one application will compromise the security of all other applications that   run under the same account.


Local Service


Local Service is a built-in account that is like an   authenticated local Windows user account. Services that run as the Local   Service account access network resources as a null session with no   credentials. This account is not appropriate for intranet deployment   scenarios where the report server must connect to a remote report server   database or a network domain controller to authenticate a user prior to   opening a report or processing a subscription.


Local System


Local System is a highly privileged account that is not   required for running a report server. Avoid this account for report server   installations. Choose a domain account or Network Service instead.

6,Considerations for Using Local Accounts

The primary consideration for using local accounts is whether the report server requires access to remote database servers, mail servers, and domain controllers. If you configure the report server to run as a local Windows user account, Local Service, or Local System, you introduce considerations that must be factored into how you set other configuration settings, and on subscription creation and delivery:

  • Running the service under a local      account will limit your options later if you configure a connection to a      remote report server database. Specifically, if you are using a remote      report server database, you will have to configure the connection to use a      domain user account or SQL Server database user that has permission to log      on to the remote SQL Server instance.
  • Running the service under a local      account will introduce new requirements on subscription creation. The      report server stores information about the user who creates the      subscription. If the user creates the subscription while logged on under a      domain account, the Report Server service will try to connect to a domain      controller to authenticate the user when the subscription is processed. If      the service runs under a local account, the authentication request will      fail when the report server tries to send the request to a remote domain      controller. To work around this limitation, you can use a custom      forms-based authentication extension or have all users connect to a report      server under a local user account.
  • Running the service under a local      account will introduce new requirements for subscription delivery. Some      delivery extensions have user account information in the subscription      definition. If you are sending reports to e-mail addresses that are based      on domain user accounts and you run the Report Server service under a      local account, it cannot access a remote domain controller to resolve the      target e-mail account.
  • Built-in Windows service accounts      (Local Service or Network Service) are not supported as report server      service accounts on a computer that is a domain controller.
时间: 2024-10-29 04:16:04

Reporting Service 配置Service Account的相关文章

用srvctl命令配置service

.用srvctl命令配置service 除了用DBCA图形方式,还能够使用命令方式配置service,这样的方法对于维护远程尤事实上用.不管是创建还是维护都是用一个命令srvctl,先看一下srvctl命令和service相关的语法.例如以下: 创建service [[email protected] ~]$ srvctl add service -h Usage: srvctl add service -d <name> -s<service_name> -r "<

webservices系列(五)——javaweb整合Axis2及多service配置

1.新建一个项目动态web项目webservice_test3. 2.打开<Tomcat安装目录>webapps/axis2/WEB-INF,将lib.conf.modules三个文件夹复制,并粘贴到webservice_test3项目下的WEB-INF文件夹下. 3.新建service配置文件,在webservice_test3项目下的WEB-INF文件夹创建services文件夹,在其下新建myservice文件夹(名字可随意),再myservice文件夹下新建META-INF文件夹,再在

Sharepoint2013商务智能学习笔记之Performancepoint service 配置(九)

1)配置Performance Service服务 第一步,新建performance service.先在管理中心,系统设置区域点击管理服务器上的服务,确认Performance Service服务在需要承载的服务器上启动了.然后在管理中心,应用程序管理区域,点击管理服务器应用程序,新建Performancepoint Service 第二步,设置Performancepoint service无人值守账号 performancepoint service新建完成之后,在应用程序列表点击进入

Windows Azure Cloud Service (36) 在Azure Cloud Service配置SSL证书

<Windows Azure Platform 系列文章目录> 在某些时候,我们需要在Azure PaaS Cloud Service配置HTTPS连接.本章将介绍如何在本地创建证书,然后使用HTTPS连接Azure Cloud Service. 1.创建证书 以管理员身份运行CMD,使用Makecert命令,安装Azure证书.具体的命令如下: makecert -sky exchange -r -n "CN=<CertificateName>" -pe -a

Reporting Services 配置工具

使用 Reporting Services 配置管理器可配置 Reporting Services 安装.如果使用“仅文件”选项安装报表服务器,则必须使用此工具来配置服务器,才能使用该服务器.如果使用默认配置安装选项安装了报表服务器,则可以使用此工具来验证或修改在安装过程中指定的设置.Reporting Services 配置管理器可以用来配置本地或远程报表服务器实例.可以使用 Reporting Services 配置管理器执行下列任务: 配置报表服务器服务帐户.此帐户最初是在安装过程中配置的

【Android开发日记】初次探秘Android Service!Service开机启动+重力感应+弹窗+保持运行

前言: 最近在写一个小程序,需求是手机摇一摇就弹窗出来.第一次使用了Service,学习了两天,实现了Service弹窗,开机启动,Activity启动和销毁.满足了自己的需求.现记录学习心得.希望能给你带来一些帮助. 1.Service创建:重写4个方法 onBind():返回一个IBinder对象,这个对象可以使应用程序与Service通信.如果用startService.stopService启动和关闭Service的话,Service和访问者是无法通信交换数据的.onBind()返回值设

Android学习笔记二十六.跨进程调用Service(AIDL Service)

跨进程调用Service(AIDL Service) 一.AIDL Service 1.什么是AIDL Service? AIDL,即Android Interface Definition Language.是Android用于定义远程接口,AIDL接口定义语言的语法比较简单,这种接口定义语言并不是真正的编程语言,它只是定义两个进程之间的通信接口.AIDL的语法与Java接口很相似,但存在如下几点差异: (1)AIDL定义接口的源代码必须以.aidl结尾; (2)AIDL接口中用到数据类型,除

【Android开发日记】第一个任务Android Service!Service靴+重力感应器+弹出窗口+保持执行

前言: 近期在写一个小程序,需求是手机摇一摇就弹窗出来.第一次使用了Service,学习了两天,实现了Service弹窗,开机启动,Service启动和销毁,Service保持一直执行. 满足了自己的需求.现记录学习心得. 希望能给你带来一些帮助. 1.Service创建:重写4个方法 onBind():返回一个IBinder对象,这个对象能够使应用程序与Service通信.假设用startService.stopService启动和关闭Service的话.Service和訪问者是无法通信交换数

Android 回顾Service之Service基础使用

这两天在回顾Android Service方面的知识,趁着记忆没有消退之前,来总结一下.本文主要讲解Service的基本概念与使用.跨进程调用Service.系统常见Service的使用.所以本文的难度微乎其微,仅适用于想回顾Service知识点的同学,或者还不怎么了解Service的同学,至于Service源码之类的东东,等老夫分析研究之后再来分享. 一.Service基础 我相信只要接触过Android开发的人,都或多或少的了解过Service.Service是什么呢?Service是And