Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
SQL Server 2016 Reporting Services Cookbook

You're reading from   SQL Server 2016 Reporting Services Cookbook Your one-stop guide to operational reporting and mobile dashboards using SSRS 2016

Arrow left icon
Product type Paperback
Published in Nov 2016
Publisher Packt
ISBN-13 9781786461810
Length 596 pages
Edition 1st Edition
Languages
Arrow right icon
Authors (2):
Arrow left icon
Robert Cain Robert Cain
Author Profile Icon Robert Cain
Robert Cain
Dinesh Priyankara Dinesh Priyankara
Author Profile Icon Dinesh Priyankara
Dinesh Priyankara
Arrow right icon
View More author details
Toc

Table of Contents (13) Chapters Close

Preface 1. Getting It Ready – Configuring Reporting Services 2. Authoring Reports with SQL Server Data Tools FREE CHAPTER 3. Advanced Report Authoring with SQL Server Data Tools 4. Authoring Reports with Report Builder 5. Improving User Experience – New Designing and Visualization Enhancements 6. Authoring Reports with the Mobile Report Publisher 7. Consuming Reports – Report Access Enhancement 8. Reporting Solutions for BI – Integration 9. SharePoint Integration 10. Administering and Managing Reporting Services 11. Securing Reports in Reporting Services 12. Custom Programming and Integration to .NET Applications

Configuring the service account of Reporting Services

The service account for Reporting Services is assigned during the installation, it is configured to run the Reporting Services service within the context of a specific Windows account. Installation allows you to select a local account, domain user account, or built-in account for the service. Once set, the installation makes sure that the account has the required permissions to access resources and run processes related to Reporting Services by adding the account to relevant security groups.

If you need to view or reconfigure the assigned account, Microsoft recommends that you use Reporting Services Configuration Manager without using Services Desktop Application. You might change the assigned account to a new account, or you might change the password set for the account if it has been changed at the Windows level. If you use Services Desktop Application to manage the service account, the additional settings that are linked with the assigned account will not be automatically changed. Specifically, it will not be added to relevant security groups. But Reporting Services Configuration Manager makes sure that all required settings are updated accordingly when a change is applied to the assigned account.

Getting ready

You can see the current assigned account using Reporting Services Configuration Manager. Once connected to the instance, you can click on the Service Account page to see the current account set or to set a new account for the service:

Getting ready

Figure 1.09

As you can see, there are two options for setting it. You can either select a built-in account or a user-defined (local or domain) account. If you have accepted the default during account selection, you should see the selected account as Virtual Service Account.

When selecting an account, either during installation or later using Configuration Manager, it is important to remember that the account you select has no excessive privileges. Not only that, but also you must make sure that it is a dedicated account for Reporting Services.

There are different types of account that you can select for Reporting Services:

  • Local system account: This account is a highly privileged account that should not be selected (or required) for Reporting Services. Generally, we should avoid highly privileged accounts for SQL Server services.
  • Network service account: This account has fewer privileges compared to the Local System account but has network log-on permissions. Therefore, it is not a bad practice to select this account as the Reporting Services service account. However, since this account is used by many applications, it might introduce a security threat, so it is better to avoid this account type as well.
  • Virtual service account: Virtual Service account was introduced with Windows Server 2008 R2, and SQL Server started supporting it from SQL Server 2012. It is simply a virtualized account based on a Network Service account but with its unique identifier. It is a local account, and you do not need to create or configure it. For SQL Server services, virtual accounts are automatically created during installation. Since it is a managed account, you do not need to worry about policies or password expiry issues, and this account type is recommended if you do not have a domain user account configured.
  • Local service account: This is a local account that is similar to an authenticated Windows user account in a local users group. This account accesses resources as a null session or without credentials. Therefore, this will not work as expected when report server needs to access external resources such as a remote database.
  • Local user account: There is a local, least-privileged Windows account configured for Reporting Services. This is recommended when Reporting Services is installed in a non-domain environment.
  • Domain user account: A least-privileged Windows domain account configured for Reporting Services. This is recommended when Reporting Services is installed in a domain environment.
  • Managed service account: This account is similar to a Virtual Service account, but this is a type of domain account. It is more secure than a domain user account and, unlike the Virtual service account, it needs to be created and configured by a domain administrator before it can be used.

How to do it...

In order to manage the assigned account, follow these steps:

  1. Start the Reporting Services Configuration Manager as shown in the preceding image.
  2. Make the necessary changes to the Report Server service account and click on Apply. You may change the account from Virtual service to Network service account for testing.
  3. The Apply button opens the SQL Server Connection Dialog window. It requires an account that has administrative privileges for applying grant rights script to a newly selected service account. If you have administrative permissions, select Current User - Integrated Security, or supply SQL Server credentials by selecting SQL Server Account:

    How to do it...

    Figure 1.10

  4. Click on OK to save the changes. Once completed, verify the messages in the results shown in the next image and see whether everything is successfully completed:

    How to do it...

    Figure 1.11

How it works...

Reporting Services Configuration Manager performs a few operations to apply your changes successfully:

  • A newly configured account is added to the report server group created on the local server.
  • The account is added to the necessary security roles in the SQL Server database engine instance that hosts the report server database, only if the connection configured to the report server database is set to service account. This account is not just a part of report server database; it gets added to the Master, Msdb, ReportServer, and ReportServerTempDB databases under different roles:
    • Master database: This account is added to RSExecRole
    • Msdb database: This account is added to RSExecRole, SQLAgentOperatorRole, SQLAgentReaderRole, and SQLAgentUserRole
    • ReportServer database: This account is added to db_owner and RSExecRole
    • ReportServerTempDB database: This account is added to db_owner and RSExecRole

  • The encryption key is updated, including the profile information of the account.

There's more...

Note that if you add a new service account to Reporting Services, the old account will not be removed from the database instance. See the next screenshot. It shows both accounts under the Users node; NT AUTHORITY\NETWORK SERVICE is the new account and NT SERVICE\ReportServer$SQL2016_M is the old account. Therefore, it should be manually removed if it is not required by the database engine:

There's more...

Figure 1.12

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image