views:

322

answers:

3

I have a PerformancePoint dashboard running in MOSS 2007 portal. The dashboard consists of one SSRS 2005 report, running in SharePoint Integrated mode.

NT Authority\Authenticated Users have read permissions to the report library containing the SSRS report, the dashboard, and the report library containing the dashboard.

Users that attempt to access the dashboard receive the following error message:

The permissions granted to user 'DOMAIN\firstname.lastname' are insufficient for performing this operation. (rsAccessDenied)

Users that then click on the direct link to the report in MOSS will see the report with no problem. Subsequent visits to the dashboard show the report with no problem.

The report is using a data source that is located one folder up from the report location. The report has been updated to point to the correct shared data source after deployment. Both the report and the data source have been published. The data source is using stored credentials, with a domain service account that has been set to Use as Windows credentials. This service account is serving other reports in other areas with no problem.


Edit:
Ok, I've gotten a lot more information on this problem. The request is never actually being made to the data source. The user comes in to the dashboard and requests a report for the first time using their kerberos token identifying themselves. The report looks in the Report Server database and finds that they are not listed in the users table and generates this rsAccessDenied error. Once they view the report directly their name is in this table and they never have the problem again.

Unfortunately, removing the user from the Users table in the RS database doesn't actually cause this error to happen again.

Everything I've read says that when you run a Report Server in MOSS integrated mode all your permissions are handled at the MOSS report library level, and all Auth users have permissions to the report library, as stated earlier. Any ideas?

+1  A: 

It sounds like the dashboard page is not passing credentials to the report server. Because you stated if the user hits the report directly it works and then if they go through the dashboard it works. So does it stop working after a certain period, indicating a cached session?

I would look carefully at the properties on the dashboard in performance point to see if it is passing credentials or trying to use anonymous. I hope this isn't a case of double hop and Kerberos :(

Brian Bedard
It never "stops working" - it never works the very first time the user tries it, but always works after the user accesses the report directly.
Nathan DeWitt
A: 

I implemented a work-around:

  • created a fake report
  • on the page with my report, created a content editor web part consisting of the following: <iframe style="display:none;" src="https://link/to/my/report.rdl"&gt;&lt;/iframe&gt;
  • I tested with another user that was experiencing the error, and they are no longer experiencing the error with my new and improved page.

I know this is a kludgy, and might even be dependent on the loading order of the page. Therefore, I would really like to find out what's causing this issue so I can fix it for good.

Edit:
I don't want to accept my own answer, since it's just a work-around. If anyone can post anything relevant to the user name placed into the Report Server DB and how that relates to SharePoint Integrated mode, you'll get the bounty.

Nathan DeWitt
A: 

Hi Nathan,

I'm not sure if this is actually the same issue, but you could double check that the data sources are set to "Approved", not "Pending". It's a stretch, but it's worth a shot.

Chaulky
data sources are Approved and Published.
Nathan DeWitt