If the SharePoint Web application is configured for Windows authentication and Kerberos is enabled, the connection from the SharePoint Web application to the report server is through the impersonated or delegated credentials of the current Windows user. The following diagram shows the connections when a report server is configured for SharePoint integration, and the SharePoint Web application uses Windows authentication with Kerberos enabled.

Connection 1

A user accesses a SharePoint site under the user token created when the user logged on to the network. It contains the user identity and group membership. The SharePoint Web application authenticates the user. The user requests a report server item or operation.

Connection 2

The SharePoint Web application sends the token and the request to the report server. The connection request is sent under the Windows identity of the user. The report server validates whether the user has permission to access the report server.

Connection 3

If the validation is successful, the report server will verify that the user has permission to access the item or operation.

A report server uses an internal security extension to verify user permissions. The report server uses the extension to call in to the Windows SharePoint Services object model to check the permissions that are stored in the SharePoint content databases. You cannot configure or manage this security extension. It is an internal component used for report servers that run in SharePoint integrated mode.

If the user has permission to access the report or other item or operation, the request is serviced.

By using Windows integrated security, you can eliminate the classic "double-hop" issue wherein Windows credentials expire after a single connection. It can also expand the set of options that are available to you when you configure data source connections for reports and models. If the Windows user identity is used to connect to the report server, the report server can use that identity during report processing to retrieve data from external data sources. This means that when you set data source properties on a report, you can select the Windows integrated security option for the data source connection. For more information, see Specifying Credential and Connection Information in SQL Server Books Online.

If the SharePoint Web application is configured for Forms authentication, the connection to the report server is sent across the network under a predefined trusted account that has permission to impersonate a SharePoint user on the report server. The same approach is used if the SharePoint Web application is configured for Windows authentication and Kerberos is not enabled. The following diagram shows the connections when trusted accounts and SharePoint user identities are used.

Connection 1

A user logs on to a SharePoint site. The SharePoint Web application authenticates the user. The SharePoint Web application translates the user identity to a SharePoint user identity (SPUser). A new user token is created for that user in the context of SPUser. It contains the user identity and group membership. The user requests a report server item or operation.

Connection 2

The SharePoint Web application impersonates the SharePoint user identity on the request to the report server. The connection request is sent that uses a trusted account. The account is the process identity of the SharePoint Web application.

The report server validates whether the connection request is from a trusted account by comparing it to account information that the report server retrieved from the SharePoint configuration databases when the report server started. On a report server, the trusted account is a Windows user with permission to impersonate SharePoint Web application. It is used only to impersonate SPUser. It is not allowed access to report server items and operations.

Connection 3

If the validation is successful, the report server will verify that SPUser has permission to access the item or operation.

The report server uses an internal security extension to verify user permissions, call in to the Windows SharePoint Services object model, and check the permissions that are stored in the SharePoint content databases. If the user has permission to access the report or other item or operation, the request is serviced.

When you create a subscription to a report, the report server will store the SPUser account information so that it can verify that the user has permission to view the report at the time of delivery. If SPUser has expired, the subscription will fail and return an rsSharePointError error. A farm-level property named TokenTimeout determines how long SPUser is valid.

In Reporting Services, both the Web service and Windows service require access to SharePoint databases. The service accounts for both services run as trusted users in a SharePoint Web application, and are automatically granted permission to access the SharePoint databases.

The connection is managed internally; it is configured when you use SharePoint Central Administration to point a SharePoint Web application to a report server and set the trusted accounts. In contrast with the report server connection to its own databases, which you can set or modify using the Reporting Services Configuration tool, you cannot explicitly configure or manage the report server connection to the SharePoint databases.

Running a report server in SharePoint integrated mode introduces constraints on how you configure the service accounts in Reporting Services. Use these guidelines when configuring service accounts:

• Choose accounts that have network logon permissions if the Report Server service accounts must connect to the SharePoint databases on a remote computer.
  
• Avoid built-in accounts (such as Local System or Network Service) if the report server and the SharePoint databases are on one computer, and the SharePoint Web application is on a remote computer. When SharePoint databases run on a remote computer, the SharePoint Web application explicitly denies database access to built-in accounts that are defined on that remote computer. This means that all services that run under built-in accounts on that computer cannot connect to SharePoint databases.
  
• For all other topologies that place the servers and databases on the same computer or different computers, the Reporting Services service accounts can be configured as domain accounts or built-in accounts.
  

If the report server cannot access the SharePoint databases and there is a configuration error (for example, if the service accounts or passwords are not valid or if a local instance of the Windows SharePoint object model is not installed), an rsServerConfigurationError error occurs. For all other connection errors, the rsSharePointError error is returned, along with additional error information from the local Windows SharePoint Services instance.