Cache: rsInvalidDataSourceCredentialSetting

Error-Message:
"The current action cannot be completed because the user data source
credentials that are required to execute this report are not stored in the
report server database. (rsInvalidDataSource-CredentialSetting) (Report
Services SOAP Proxy Source)".
Our previous action:
In SQL-Server Management Studio, Connect to Reporting Services, Home,
myReports, someReportName.
Right-Click on this report, Properties.
Here on the left side: Execution
Right Side: Cache the Report, OK
Now happens the Error cited above.
Logged on as Local Adminsitrator, as usual, no Domain configured, standalone
Server in Workgroup.
The whole ReportServer was installed and configured from scratch with all
possible patience:
All the following programs in english:
Win Enterprise 2003 R2, SQL Server 2005 completely, SQL-Server SP1, Post SP1
hotfixes and ALL recommended Security Updates/Fixes by Windows Update.Hi Henry,
Thank you for using MSDN Managed Newsgroup Support.
From your description, my understanding of this issue is: You can not
configure the Report Cache and you get the following error message:
"The current action cannot be completed because the user data source
credentials that are required to execute this report are not stored in the
report server database. (rsInvalidDataSource-CredentialSetting) (Report
Services SOAP Proxy Source)".
If I misunderstood your concern, please feel free to let me know.
Since the report cache need a credential to connect to the datasource to
render the report, it will need the credential stored in the report server
database.
To store the credential, please do the following:
1. Open the Management Studio, connect to Reporting Services, go to the
report you want to configure.
2. Expand the left panel, and click the Data Sources, right-click your data
source name and click Properties.
3. Check the Credentials stored securely on the report server and specify a
Login Name and password.
4. Click Ok and try to configure the report cache.
Hope this will be helpful, thank you!
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights|||Hi Wei,
thanks to your advice we finally achieved to configure caching.
It follows here:
- our initial security-config
- the way we solved the problem by temporarily changing this config
- ONE Question
All Reports use a shared datasource.
This shared datasource is configured to connect using Windows integrated
security.
Our security-config is as following:
- SQL-Server is configured for "SQL Server and Windows Authentication mode"
- The reportserver machine is in a workgroup, not in a Domain
- Anonymous access to the ReportServer website is allowed via the
IUSR_machine User
- we created a local Server windows-group "Report-Reader" in Computer
Management
- we added the IUSR_machine Account to this group
- we added this windows-group as a "System User" (not System Administrator)
to Report Services
- we gave this windows-group the Browser-Role
- we gave this windows-group the datareader role with explicit rights to
select and execute on the target databases
We achieved enabling caching only after configuring this shared datasource
temporarily with:
- Connection: Credentials stored securely on the report server
- sa, password
standard config before and after: Windows integrated security (= the
IUSR_machine account) did not work
Question:
Me, the SQL Server Admin, with all possible rights, I want to configure the
caching behaviour.
Why does there need to be configured differently any shared datasource
rights to do this?
What has the config of the datasource to do with ME wanting to change a
behaviour?
Muchas Gracias, yours Henry|||Hello Henry,
Thank you for your update and glad to hear the information is helpful.
I would liket to explain that why we need to store the Credential.
Since the Report Cache is an automatical process to render the report, it
will need the credential to connect to the datasource to get the data. If
you use the Windows integrated security, it will be fine if an user try to
access the report. But the Cache can not connect to the datasource because
it does not know which credential it should use to connect to the
datasource. Thus, you need to store the credential in the database.
Don't worry about the security because the database use a symetic key to
encrypt the credential.
Here is an article for your reference:
Specifying Credential and Connection Information
http://msdn2.microsoft.com/en-us/library/ms160330(d=ide).aspx
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.|||Hi Henry,
How is everything going? Please feel free to let me know if you need any
assistance.
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.|||Hi Wei,
OK, resolved.
But one big question:
If I give e.g. the sa-credentials to be stored securely in the data-source,
and if any one user achieves to send some "= 1; drop someDB; --" Code to our
Stored Procedures that sometimes use dynamic SQL, then we're fried.
Seems to be necessary to configure a SQL-Server account with less privileges.
Or let caching out.
Saludos, Henry|||Hi Henry,
Thank you for the update.
The SQL injection is really a big problem. I recommend you to configure a
SQL account which only have select permission on the database since the
reporting service only need to get the data from datasource.
Hope this will be helpful!
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.|||Hello Henry,
How are you doing on this thread? As Wei has been OOF due to some urgent
issues, I'm helping him contact you to see whether you still have any
problems on this. For the security threaten you mentioned earlier, Wei and
I have discussed this with our product team's engineers and their
suggestion is that we recommend the reporting service datasource always use
a readonly permission identity to access database server since reporting
service report only need readonly access. As always, if you have any
further issues, please feel free to post here.
Sincerely,
Steven Cheng
Microsoft MSDN Online Support Lead
This posting is provided "AS IS" with no warranties, and confers no rights.|||Hi Steven,
thank you very much for your invested time.
We are happy, that SSRS-caching could finally be switched on in our
dev-/test-environment.
We'll investigate it further, when our product is live and running and we
need to optimize it.
Have a nice day, greetings from Peru
Yours Henry