SSRS via Firepass

Hi RD,

 

 

I don't know anything about SRS any any foibles that might have but certainly the Firepass is capable of emulating what a browser does with regard to Integrated Windows Authentication, if that is what you need. But that's not using Kerberos just normal Windows authentication as far as I'm aware - is there no other option regarding the security context that the connection between the intranet and SRS uses?

 

 

Obviously you need to be presenting your credentials to the Firepass in the first place but if that is your authentication method is (or part of it) then as far as I know the place to enable its use is under "Portal Access : Web Applications : Master Group Settings" for the master group which your users belong to. Then you'll see two options, in the section titled "NTLM and Basic Auth Proxy". This is relevant to version 7.0, probably 6.x as well, I don't think that this has changed.

 

 

My company use the Windows account credentials to present different pages from the company intranet to different groups of employees and this works just fine through the Firepass.

 

 

KevinS.

Posted By rdsohf5 on 10/10/2010 06:25 PM

 

Experts,

 

 

We have a .net reports page on our intranet site that uses the SSRS (SQL Reporting Services) web service to build a tree of reports and the Report Viewer control to display the selected report. To get this working internally I had to setup Kerberos authetication (otherwise you get the "double-hop" problem where the intranet site on one box tries to connect to SSRS on the other box as "anonymous").

 

 

However, when I login via Firepass and attempt to load the page I get this error...

 

 

Failed to list children: The request failed with HTTP status 401: Unauthorized. itemPath: Failed to set credentials: Object reference not set to an instance of an object.

 

 

I'm thinking it's because Firepass needs to be configured like my internal sites/boxes - i.e. the AD computer object should be set for Kerberos delegation, identity impersonate="true" added to the web.config and setspn applied to the HTTP path. But Firepass runs on linux and is an "appliance" with no entry in AD, so I don't know how to set it up for delegation

 

 

Has anybody else come across a similar problem? I'm a Database Administrator with little knowledge of the F5 and remote access. I've got network colleagues looking at the issue but thought I'd ask here is case anybody had some tips.

 

 

Also, I can go directly to the SSRS site from Firepass and view reports. However, when I run them in Internet Explorer the CPU shoots upt to 50% and the windows locks up. If I hide the SSRS toolbar they run OK. Strangely, I can run them

 

OK from Firefox with the toolbar showing. What could this problem be - some javascript thing?

 

 

Thanks,

 

RD

 

 

First off, how are you connecting?

 

 

Web Application Tunnel - Tunnel based

 

Portal Access - Basic Web stuff here

 

Network Access Tunnel - The device has an IP address on the network.

 

 

Second, how is the website coming up on Firepass?

 

 

Is it showing up Internet or Intranet?

 

 

Third, I have no idea about the double hop issue as all Intranet sites should always have automatic logon set. This is an option in IE.

 

 

If worse comes to worse we can always populate the username and password in the URL string if necessary.

Mike and Kevin - thanks for your replies. We connect via "Portal Access" and already have "Auto Logon with NTLM and Basic Auth Proxy" setup for our Master Group. NTLM is Windows authentication, but only one "hop" - i.e. credentials get passed from the client browser to our Intranet server OK, so we can present different pages/links to different users as Kevin mentions.

 

 

We want the same thing to occur on our SSRS server because some of our reports require the current user as a parameter and also only some users should be able to run certain reports. The problem is that our Reports page is an ASP.NET web application which is hosted on the Intranet server but uses the SSRS web service and report viewer to connect to the SSRS server. This is the "double-hop" situation - i.e. user credentials need to get passed firstly from the client browser to the Intranet server and then a second time to the SSRS server. This is called delegation and NTLM doesn't support it. In order to delegate user credentials all components in the chain must use Kerberos authentication, which is what I have done to get things working internally.

 

 

I have run a HTTP debugger and found that when the Reports page is loaded internally there are these messages...

 

Authorization Header (Negotiate) appears to contain a Kerberos ticket:

 

WWW-Authenticate Header (Negotiate) appears to be a Kerberos reply:

 

 

But when it's loaded from Firepass I only get this...

 

Proxy-Authorization Header is present: NTLM

 

 

This leads me to believe that Firepass isn't capable of Kerberos authentication at all. I have a support ticket with F5 so I'll let you know how I go. Others may be interested because it means that any "middle-tier" solution people have in place may not work when accessed via Firepass.

 

 

RD

Any chance you are using a proxy in the device configuration?

Mike

 

 

I don't know, I'm checking with my network people. I'm actually a DBA so don't know much about proxies. I only know the kerberos stuff by researching it myself.

 

 

Where should I be looking for the proxy configuration? The Firepass manual mentions proxy all over the place - Basic Auth Proxy, Enable HTTP proxy or Enable SSL proxy, reverse-proxy, Client proxy settings etc. What are the implications of having a proxy in the configuration? Could it be blocking Kerberos traffic?

 

 

Rob

Rob,

 

 

Just looked through this again and noticed that there is a place in the FirePass admin config where you can specify an optional kerberos server. Looking at the admin documenetation doesn't really give any clues what's going on but I just mention it if your network guys haven't already explored that area. This is under Users : Groups : Master Groups, select the correct master group and go to the authentication tab.

 

 

It's just the optional wording in the Kerberos (and WINS) server entry which makes me wonder if it has been missed.

 

 

Here's the text from the help page associated with that page. Unfortunately there's no explanation for what's really going on....

 

 

To configure Active Directory authentication

 

 

-In the Domain name box, type the Windows domain name. You must provide the Fully Qualified Domain Name (FQDN) here. This is a required parameter.

 

 

-Check (enable) the Forest mode box to authenticate users against Active Directory using their user principal names (UPN).

 

Note: If you enable Forest Mode for the AD authentication method, then "domain name" must be in the FQDN format. For example: SALES.OLYMPUS.COM instead of SALES.

 

 

-In the Kerberos server name box, type the Kerberos server name or IP address. Kerberos server name is an optional parameter.

 

 

-In the WINS server IP address box, type the WINS server IP address. WINS server IP address is an optional parameter.

 

 

-Check the Require user logon in form DOMAIN\username only if there are FirePass 4100 controller users with otherwise-identical user names belonging to different Active Directory domains. When you enable this option, you must use the DOMAIN\username format when adding users to the FirePass 4100 database, and users must use their full DOMAIN\username when logging into the FirePass 4100 controller.

 

 

-In the User must belong to Domain group box, type the domain group to which the user must belong for authentication. You can also click the Select Domain group link to select a domain group from your Active Directory server. User must belong to Domain group is an optional parameter. When you select User must belong to Domain group, the option Check nested groups appears. Select this option to check for users in a series of nested groups. You may optionally select the option Group specified must match user's primary group to ensure that the domain group the user belongs to matches the user's primary group.

 

 

-In the Domain admin name, type a user name that has Active Directory administrative permissions.

 

 

-In the Domain admin password box, type the password associated with this user name.

 

Note: Permissions are necessary for admin account changes. Use Account Operator as the privilege setting necessary for Firepass to change an admin password. Account Operator is a built-in Windows group, so the user that is specified in the Domain admin name and Domain admin password fields must be added to this group.

 

 

Regards,

 

KevinS.

I had thought of that too, but we already have the kerberos and wins fields filled in.