We have a large group of users that need read access to a certain report folder. We have added the active directory group to the permissions for the entire folder, and all the reports inherit the folder's permissions.
About 75% of the people in the group CAN access the reports just fine. About 25 people cannot - they get the typical"The permissions granted to user 'DOMAIN\user' are insufficient for performing this operation."
Could someone point me in the right direction for debugging this problem? Is this a bug in Microsoft, or is this a "common" configuration problem where I can look at a couple of logs and change a couple of settings?
Any tips would be greatly appreciated
Sue
HiSue,
Do you use xp system? If so, you have to use impersonation, while on IIS6
and above you can use a domain account for the AppPool.
#Understanding ASP.NET Impersonation Security - Rick Strahl's Web Log
http://west-wind.com/weblog/posts/2153.aspx
Hope this helps.
Rex:
Thank you for the tip. I do use IIS6, and the Reports Server web site, installed by the Reporting Services installer, already uses Impersonation.
Itried to change my application pool identity to a network service account, and it comes back saying I can't even browse the site, due to "Service Unavailable". The event logs seem to indicate that that service account doesn't have some security policy rights on the system, but I tried adding that account to "Log on Locally", "Log on as Service" and "Log on from Network" and none of that works.
We have also discovered that the domain group account that we added for security is listed in Active Directory as a "Distribution" type group and not a "Security" type group. I don't know if this makes a difference, but I'm going to see if we have a security group for these people.
Thanks
Sue
No comments:
Post a Comment