Kerberos Delegation for Clients Ouside the Firewall

Question

I am trying to run a SQL Server Reporting Services where the data for the report is on a SQL Server database that's on a different server. Integrated Authentication is turned on for both the Report Server and the report. I have confirmed that Kerberos delegation is working fine by using Internet Explorer to run the report from inside the network.

However, when I open the report server through the firewall, I cannot run the report. I get the following error: An error has occurred during report processing. Cannot create a connection to data source 'frattoxppro2'. Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.

Does Kerberos authentication not work outside a firewall?

Answer 1

I'm not really in a position to tell you why kerberos isn't working for you, but did have a alternative suggestion for your configuration. You can use ISA services to expose the reporting server rather than simply poking a hole in your firewall. This is something our company has done successfully - it republishes the reporting services site so the browsers are talking to ISA, not directly to the server. ISA Services is quite happy to pass through your credentials as well.

Answer 2

Kerberos requires a port 88 connection to the KDC, in this case, most likely your DC.

What you probably want to look at is HTTPS + Basic Authentication + Protocol Transition to take the Basic Authentication and translate it into a DC based Kerberos Ticket for delegation and back end authentication.

• Protocol Transition with Constrained Delegation Technical Supplement

• How To: Use Protocol Transition and Constrained Delegation in ASP.NET

Not exactly the easiest to set up, but when its working, it works amazingly well.