Configuring SQL Server Reporting Services 2019 for Bentley IMS Authentication
If you plan to run reports in SQL Server Reporting Services using Bentley IMS credentials, then you first need to configure SQL Server Reporting Services so that it can authenticate requests from Bentley IMS users.
Modify the Reports Server's web.config File
- Open the Report Server's
web.config file in a text editor.
The file is located by default in the following folder:
C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\web.config
- Within the
<system.web> element, add the following
<authentication>,
<authorization>, and
<identity> elements, as shown below:
<configuration> ... <system.web> ... <authentication mode="Forms" > <forms name="FormsAuthCookie" loginUrl="Login.aspx" path="/" /> </authentication> ... <authorization> <deny users="?" /> </authorization> ... <identity impersonate="false" /> ... <system.web> ... </configuration> -
Within the <appSettings> element, add the following IMS session settings, as shown below:
<Configuration> ... <appSettings> <add key="Bentley.eB.ImsIssuerName" value="https://imsoidc.bentley.com" /> <add key="Bentley.eB.ImsUri" value="https://session.xxxx.bentley.com" /> <add key="Bentley.eB.ImsPatLabel" value="session" /> <add key="Bentley.eB.ImsClaimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" /> </appSettings> ... </Configuration>Where:
Bentley.eB.IMSIssuerName – Specifies the location of the session service token provider.
Bentley.eB.ImsUri – Specifies the location of the session service. Session service must be configured to allow authentication requests from SSRS reports server url.
Bentley.eB.ImsPatLabel – Specifies the token label used when working with Access Tokens.
Bentley.eB.ImsClaimType – Specifies the claim type for the "user" within the service token.
Modify the Report Server's RSReportServer.config File
- Open the Report Server's
RSReportServer.config file in a text editor.
The file is located by default in the following folder:
C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\RSReportServer.config
- Within the
<Authentication> element, add the
<AuthenticationTypes>,
<RSWindowsExtendedProtectionLevel>,
<RSWindowsExtendedProtectionScenario>, and
<EnableAuthPersistence> elements, as shown
below:
<Configuration> ... <Authentication> <AuthenticationTypes> <Custom/> </AuthenticationTypes> <RSWindowsExtendedProtectionLevel>Off</RSWindowsExtendedProtectionLevel> <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario> <EnableAuthPersistence>true</EnableAuthPersistence> </Authentication> ... </Configuration> - Within the
<UI> element, add the
<CustomAuthenticationUI>,
<ReportServerUrl>, and
<PageCountMode> elements, as shown below:
<Configuration> ... <UI> <CustomAuthenticationUI> <PassThroughCookies> <PassThroughCookie>FormsAuthCookie</PassThroughCookie> <PassThroughCookie>_session_ssrs</PassThroughCookie> </PassThroughCookies> </CustomAuthenticationUI> <ReportServerUrl> </ReportServerUrl> <PageCountMode>Estimate</PageCountMode> </UI> ... </Configuration>
- Within the
<Extensions> element, add the
<Security> and
<Authentication> elements, as shown below:
<Configuration> ... <Extensions> ... <Security> ... <Extension Name="Forms" Type="eB.ReportingServices.Extensions.Security.Authorization, eB.ReportingServices.Extensions.Security.2019.11"> <Configuration> <AdminConfiguration> <UserName> BENTLEY IMS PROFILE EMAIL</UserName> </AdminConfiguration> </Configuration> </Extension> </Security> <Authentication> ... <Extension Name="Forms" Type="eB.ReportingServices.Extensions.Security.Authentication, eB.ReportingServices.Extensions.Security.2019.11"> <Configuration> <Authentication> <Bentley.eB.ImsIssuerName>https://imsoidc.bentley.com</Bentley.eB.ImsIssuerName> <Bentley.eB.ImsUri>https://session.xxxx.bentley.com</Bentley.eB.ImsUri> <Bentley.eB.ImsPatLabel>session</Bentley.eB.ImsPatLabel> <Bentley.eB.ImsClaimType>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</Bentley.eB.ImsClaimType> </Authentication> </Configuration> </Extension> </Authentication> ... </Extensions> ... </Configuration>The user name you enter in the <UserName> element above is the email address of your Bentley IMS profile. This step is needed so that you will be granted permission to deploy the solution to the reports server with the SQL Server Data Tools.
To be able to deploy the solution to the reports server with SQL Server Data Tools, the administrative Bentley IMS profile must have a PAT token created by the AssetWise Session Service specified in <SessionServiceUri> element using the label specified in the <imsPatLabel> element. See To Get a Personal Access Token (PAT) from AssetWise Session Service.
- Within the
<Configuration> element, add the following
<MachineKey> substituting
YOUR VALIDATION KEY and
YOUR DECRYPTION KEY with your own values:
<Configuration> ... <MachineKey ValidationKey="YOUR VALIDATION KEY" DecryptionKey="YOUR DECRYPTION KEY" Validation="SHA1" Decryption="AES" /> ... </Configuration>Tip: The machine key can be generated in IIS. For more information, see https://blogs.msdn.microsoft.com/amb/2012/07/31/easiest-way-to-generate-machinekey/.
Troubleshooting Security Permissions on Backup Configuration Files
It is common practice to make backups of original SQL Server Reporting Services configuration files when making manual modifications. It must be noted that one security permission will be removed from SQL Server Reporting Services 2019 configuration files when the files are being copied. This missing permission might prevent Reporting Services from starting up, and the following error message would appear in the RSHostingService log file: "Access to the path 'C:Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\web.config' is denied."
To resolve this issue, do the following: