Monday, October 30, 2017

This is a serious security breach problem with SQL Server Reporting Services 2016

I have been having problem accessing the Web Service URL and Web Portal in Microsoft Edge as well as Mozilla Firefox-both the latest versions.

Microsoft Edge accepts the authentication after three times  entering the same Username/Password with the third time going to the web address. However it does not load and there is a message but with no instructions to go further.



In Mozilla entering the Web Service URL or Web Portal URL in the address with the same authentication information does not even go to the address. There were no messages.

Using the Report Builder you can connect to the Report Server and view the reports; datasources; report parts etc.


These URLs being crucial to work with SQL Server Reporting Services (SSRS), this is totally unacceptable.

What is more serious is that the Reporting Server has no security! When I enter the site address in a Chrome browser, I am not even asked for authentication dialog and I am taken straight to the server. This should not happen. I could even do a ListChildren command. Both Web Service URL and Web Portal URL do not require authentication. Wow!




I thought perhaps it has something to do with Chrome, but no. When I tried with Internet Explorer (on Windows 10) it was amazing. Asked for no authentication, web addresses were accessible.




I think this is something to do with Windows 10 and perhaps not that of Reporting Services.

I am not new to Reporting Services as I have written about them previously.

Notes after the original post (11/2/2017):

I have looked at Internet Options and I do not think these are the reasons why Internet Explorer displays the Web Service URL and Web Portal URL without asking for authentication. The first two images are for Internet Explorer and the last one for Microsoft Edge.

These two are for IE 11. The Web Service URL come sup immediately without prompting for authentication.


This one for Microsoft Edge (latest version)

The Microsoft Edge requests authentication information and succeeds only on the third time (each time same information is provided) but the Web Service URL does not load.

No comments:

Post a Comment

SQL Server 2025 ready to go

 I have not yet done looking at SQL Server 2022, SQL Server 2025 is ready to go. Microsoft is indeed relentless!  Microsoft announced SQL Se...