Recently I implemented a custom Authentication and Authorization extension for SQL Server Reporting services so that I could implement a single sign-on for our reporting module. After much cursing and swearing I got Authentication to work against our Authentication service, now comes the part where I implemented custom Authorization. An article I found gave me a good head start on this, and I implemented my own custom Roles against my usernames etc. All well and good… but something strange kept happening my User’s kept getting an AccessDeniedException when calling ListChildren on the Reporting Services web service. This was even though I had granted rights to the Roles for the folders I wanted them to access. Upon investigation (and some remote debugging) I discovered the calls to CheckAccess were being sent a byte secDesc that was null.
For those of you who don’t know or understand (as I didn’t at the time) secDesc is a binary representation of the permissions granted to a particular item in the Reports server, this includes all Users and/or Groups that are granted access to the item. I had forgotten to specify permissions for my Home directory to include all the roles. my function was calling ListChildren("/", true) (where "/" is the home directory).
Seems pretty obvious stuff-up, fair enough very easily fixed by going into Report Manager or SQL Server Management studio, only one small problem…. Still doesn’t work… I then discovered that the Users/Groups also need to be given a System Role at the Server level. I added my custom groups (or my application Roles) as System Users to the Server and everything worked perfectly… huzzah!