Configuring SQL Server Reporting Services 2016 for Bentley IMS Authentication
If you plan to run reports in SQL Server Reporting Services using Bentley IMS credentials, then you first need to configure SQL Server Reporting Services so that it can authenticate requests from Bentley IMS users.
SQL Server Reporting Services consists of two components, the Report Server, and the Web Portal, which is used to manage the Report Server. In order to support Bentley IMS authentication, both the Report Server and the Web Portal must be configured.
Modify the Reports Server's web.config File
- Open the Report Server's
web.config file in a text editor.
The file is located by default in the following folder:
C:\Program Files\Microsoft SQL Server\MSRS13.MSSQLSERVER\Reporting Services\ReportServer\web.config
- Within the
<system.web> element, add the following
<authentication>,
<authorization>, and
<identity> elements, as shown below:
<configuration> ... <system.web> ... <authentication mode="Forms" > <forms name="FormsAuthCookie" loginUrl="Login.aspx" path="/" /> </authentication> ... <authorization> <deny users="?" /> </authorization> ... <identity impersonate="false" /> ... <system.web> ... </configuration> - Within the
<system.web> element, add the following
<machineKey> with your own values, as shown
below:
<configuration> ... <system.web> ... <machineKey validationKey="YOUR VALIDATION KEY" decryptionKey="YOUR DECRYPTION KEY" validation="SHA1" decryption="AES" /> ... </system.web> </configuration>The machine key can be generated in IIS. See the following article if you need help generating the machine key:
Important: The machine key you add to the web.config file here must be the same as the machine key you add to the Web Portal's Microsoft.ReportingServices.Portal.WebHost.exe.config file (which is described later in this section). Once you generate the machine key, you should paste the same machine key into both configuration files. -
Within the <appSettings> element, add the following IMS session settings, as shown below:
<Configuration> ... <appSettings> <add key="Bentley.eB.ImsIssuerName" value="https://imsoidc.bentley.com" /> <add key="Bentley.eB.ImsUri" value="https://session.xxxx.bentley.com" /> <add key="Bentley.eB.ImsPatLabel" value="session" /> <add key="Bentley.eB.ImsClaimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" /> </appSettings> ... </Configuration>Where:
Bentley.eB.IMSIssuerName – Specifies the location of the session service token provider.
Bentley.eB.ImsUri – Specifies the location of the session service. Session service must be configured to allow authentication requests from SSRS reports server url.
Bentley.eB.ImsPatLabel – Specifies the token label used when working with Access Tokens.
Bentley.eB.ImsClaimType – Specifies the claim type for the "user" within the service token.
Modify the Report Server's RSReportServer.config File
- Open the Report Server's
RSReportServer.config file in a text editor.
The file is located by default in the following folder:
C:\Program Files\Microsoft SQL Server\MSRS13.MSSQLSERVER\Reporting Services\ReportServer\RSReportServer.config
- Within the
<Authentication> element, add the
<AuthenticationTypes>,
<RSWindowsExtendedProtectionLevel>,
<RSWindowsExtendedProtectionScenario>, and
<EnableAuthPersistence> elements, as shown
below:
<Configuration> ... <Authentication> <AuthenticationTypes> <Custom/> </AuthenticationTypes> <RSWindowsExtendedProtectionLevel>Off</RSWindowsExtendedProtectionLevel> <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario> <EnableAuthPersistence>true</EnableAuthPersistence> </Authentication> ... </Configuration> - Within the
<UI> element, add the
<CustomAuthenticationUI>,
<ReportServerUrl>, and
<PageCountMode> elements, as shown below:
<Configuration> ... <UI> <CustomAuthenticationUI> <PassThroughCookies> <PassThroughCookie>FormsAuthCookie</PassThroughCookie> <PassThroughCookie>_session_ssrs</PassThroughCookie> </PassThroughCookies> </CustomAuthenticationUI> <ReportServerUrl> </ReportServerUrl> <PageCountMode>Estimate</PageCountMode> </UI> ... </Configuration>
- Within the
<Extensions> element, add the
<Security> and
<Authentication> elements, as shown below:
<Configuration> ... <Extensions> ... <Security> ... <Extension Name="Forms" Type="eB.ReportingServices.Extensions.Security.Authorization, eB.ReportingServices.Extensions.Security.13.0"> <Configuration> <AdminConfiguration> <UserName> BENTLEY IMS PROFILE EMAIL</UserName> </AdminConfiguration> </Configuration> </Extension> </Security> <Authentication> ... <Extension Name="Forms" Type="eB.ReportingServices.Extensions.Security.Authentication, eB.ReportingServices.Extensions.Security.13.0"> <Configuration> <Authentication> <Bentley.eB.ImsIssuerName>https://imsoidc.bentley.com</Bentley.eB.ImsIssuerName> <Bentley.eB.ImsUri>https://session.xxxx.bentley.com</Bentley.eB.ImsUri> <Bentley.eB.ImsPatLabel>session</Bentley.eB.ImsPatLabel> <Bentley.eB.ImsClaimType>http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress</Bentley.eB.ImsClaimType> </Authentication> </Configuration> </Extension> </Authentication> ... </Extensions> ... </Configuration>The user name you enter in the <UserName> element above is the email address of your Bentley IMS profile. This step is needed so that you will be granted permission to deploy the solution to the reports server with the SQL Server Data Tools.
To be able to deploy the solution to the reports server with SQL Server Data Tools, the administrative Bentley IMS profile must have a PAT token created by the AssetWise Session Service specified in <SessionServiceUri> element using the label specified in the <imsPatLabel> element. See To Get a Personal Access Token (PAT) from AssetWise Session Service.
Modify the Web Portal's Microsoft.ReportingServices.Portal.WebHost.exe.config File
- Open the Web Portal's
Microsoft.ReportingServices.Portal.WebHost.exe.config
file in a text editor.
The file is located by default in the following folder:
C:\Program Files\Microsoft SQL Server\MSRS13.MSSQLSERVER\Reporting Services\RSWebApp\Microsoft.ReportingServices.Portal.WebHost.exe.config
- Copy the
<machineKey> element from the Report Server's
web.config file and paste it within the
<system.web> element in this file, as shown
below.
<configuration> ... <system.web> ... <machineKey validationKey="YOUR VALIDATION KEY" decryptionKey="YOUR DECRYPTION KEY" validation="SHA1" decryption="AES" /> ... </system.web> </configuration>The machine key must be the same as the machine key you added to the Report Server's web.config file.
- Within the
<appSettings> element, add the following IMS
session settings, as shown below:
<Configuration> ... <appSettings> <add key="Bentley.eB.ImsIssuerName" value="https://imsoidc.bentley.com" /> <add key="Bentley.eB.ImsUri" value="https://session.xxxx.bentley.com" /> <add key="Bentley.eB.ImsPatLabel" value="session" /> <add key="Bentley.eB.ImsClaimType" value="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" /> </appSettings> ... </Configuration>Where:
Bentley.eB.IssuerName – Specifies the location of the session service token provider.
Bentley.eB.ImsUri – Specifies the location of the session service. Session service must be configured to allow authentication requests from the SSRS reports server url.
Bentley.eB.ImsPatLabel – Specifies the token label used when working with Access Tokens
Bentley.eB.ImsClaimType– Specifies the claim type for the "user" within the service token.