I am a SQL Server developer with some SSRS report development experience. This problem is a bit deep for me. My first question is how I might handle the scenario below. My second is whether I am in the ball park with my suggestions at the end.
We have a Report server that uses Windows Authentication. We want to display reports from this server on a server outside of our firewall. A user will log in to the web application on that outside server. When the users requests the report, the request will pass to our server the name of the user (either direct to the Report Server or to a another web site within our firewall that has access to the Report Server). We will use that user information to filter the rows that the user can see and may, if possible, we want to prevent users from seeing reports they shouldn't see (this may be version 2).
When this is in place, users will only be able to gain access to reports by logging in to our domain or by using the outside server. No other application will be able to access our report from outside of the firewall (unless the user can log in using his/her user name and password).
The data is private and will need to be protected.
How can we do that?
Some thoughts (from the land of enough knowledge to be dangerous):
Provide a Windows User name in our domain. When the user tries to access a report from the outside server, the code will authenticate to the Report Server using the Windows User name that we have provided (and stored in the configuration). I think that we could connect to the report server directly using either the Report Viewer or using the SSRS web service using this method.
A second idea I had was to provision a web server within the network. Its AppDomain would run as a window account with access in our Report Server to the reports we need or we could embed the credentials in the code that returns the report. The code could receive a request with just the name of the report and the appropriate parameters (including the name of the user). The code on this server would then make a web service call to the Report Server. It would then return the results to the user.
My thought was that in this scenario, we would use a certificate. If the called does not have a certificate that our in house server doesn't recognize, the request will be refused. I am not sure how one implements that, I seem to recall that that was a possible authentication method.
Am I close? Are there pitfalls to be aware of with these ideas?
Russel Loski, MCSE Data Platform/Business Intelligence Twitter: @sqlmovers; blog: www.sqlmovers.com