(Revised based on comments below)
I know there's a ton of posts like this online and I've browsed many and found no useful help.
I have setup and configured SSRS many times and have not had this problem. The setup is similar to other servers in the past (all stand alone servers - no AD). I can log into Report Manager from a browser on the local server but when I try to access from my remote dev machine or from deploying a report from VS I get the above message.
This is how I'm trying to login which works on other servers but not this one.
http://Server IP/Reports
-Username: Administrator
-Password: admin password
I get the above error even though this is exactly the same as on other servers.
I should mention that I connect using a VPN to the network so I have access to the private IPs as well.
I also tried using he private IP
I also tried MachineName\Administrator
I also tried creating an SQL user with admin privileges and that did not work either.
This is a screenshot from a server where everything is working as expected. Administrators had default permissions (Content Manager). Users has browse:
This is a screenshot from the server that’s having permission issues. I assigned all roles to both admin accounts
and then I added all roles to both admin accounts:
Now I can deploy from VS using the username "administrator".
and I made a little progress (i think...) trying to access report manager from my pc. From IE (run as admin) on my local pc I try to access report manager from this URL
http://server ip/Reports/browse/
-Username: Administrator
-Password: admin password
And now I gain access to server manager but cannot see any content. When I click on the home button I get this error:
Any recommendations?
In vCenter 6.5 vSphere web client, if I logon as any user other than administrator#vsphere.local, I can't get to a few areas like Administration > Single sign on > Configuration.
I swear I did something to get my other user accounts access before, but if it's not just to give administrator access to 'global access', then I can't remember. vCenter died recently and I had to recreate it.
I'm trying to give otherUser#vsphere.local and an Active Directory group full access to do everything that administrator#vsphere.local can do.
Anyone know how to do this?
Note: I have the vCenter Server Appliance.
There's separate roles and permissions for vCenter and Appliance configurations (such as SSO). Make sure you're properly setting the permissions for those users/groups there as well.
Example of the SSO permissions: link
When I try to deploy my SQL Server Analysis Services project to the server, I get the error message No mapping between user and security ids was done. I don't get where this is coming from!
I've checked the user credentials on the Data Source. I've previously deployed projects to the same server with the same credentials with no problems.
When I google this problem, I get a lot of hits for things to do with Active Directory, but nothing that directly links to SSAS. Where does this error spring from?
This error occurs when there are users defined in a role that are either not known to the server (i.e. a local account on the machine the project was designed on) or no longer available in the Active Directory. To solve this:
Open the cube in BIDS / Visual Studio
Go to the Roles node in the Solution Explorer
Per role, go to the tab "memberships"
Per member defined, check to see if that member still exists in the AD.
In my experience, it's advisable not to use local users in Roles, nor personal accounts. Instead, grant the rights to a role to a group, then add and remove users to that group in the Active Directory as needed.
We have the report server installed in the Domain Controller. In the report server, I removed all the roles assigned for BUILTIN\Users (except Browse), and left all the roles (including Content Manager) for BUILTIN\Administrators.
Now when I log in as the Domain Administrator, I cannot access the Security Settings page! I do not get the "Properties" tab in the Report Manager home page.
Since, the server I have installed the SSRS is our domain controller, it doesn't have any BUILTIN groups. However, the Domain Administrator is in the Domain\Administrators group and I was under the impression that will act as the BUILTIN\Administrators group in this case. But I was wrong.
Now since we cannot login as BUILTIN\Administrator, nobody has full access to the Report Manager.
I tried entering entries for ReportServer database PolicyUserRole table, so that I can assign content manager role to the BUILTIN\Users group. Although I added the entries successfully, the Report Manager still shows nothing when I login as a user to the website!
I need to do one of two things, Either
some how login as BUILTIN\Administrator to the Report Manager. - But cannot do this coz the Domain Controller doesn't have this group. Domain\Administrators group doesn't seem to be working
or
2.Somehow give ContentManager permission back to the BUILTIN\Users group. But I cannot do this using the ReportManager website OR the SQL Management Studio, as they do not recognize that my domain\Administrator has permission.
What nonnb said:
SSRS will allow any "local" administrators to the computer SSRS is running on to do administrative stuff.
You should be able to go to the domain controller, check local users and groups, add in your domain user as a local administrator to the computer. As far as i can remember, even the domain controller also has some local stuff. If not, it could be a discussion on if it is smart or recommended to install SSRS on a domain controller, but that is out of scope for this question :)
Well, I couldn't find anything :(... I ended up re-installing the reporting services.
I'm running an IIS 7 Website with an AppPool of Integrated Pipeline Mode.
The AppPools does NOT run under NetworkService, etc.. identity (by purpose), but uses its own AppPool Identitiy (IIS AppPool\MyAppPool).
This is a so called service account or virtual account.
(a user account, which is not a full account...)
I'd like to give this service account (IIS AppPool\MyAppPool) permissions to connect to my SQL Server 2008 Express (running in Mixed Auth. Mode).
While SQL Server can add any normal user account, the IIS AppPool\MyAppPool virtual account cannot be added to the valid logons (SQL Server says, that the account cannot be found).
Is there any trick, anything I need to enable to make the virtual accounts work?
(the w3wp.exe process runs under this identity according to taskmgr, but I cannot use the account in NTFS security either...)
Thanks for your help!
The "IIS APPPOOL\AppPoolName" will work, but as mentioned previously, it does not appear to be a valid AD name so when you search for it in the "Select User or Group" dialog box, it won't show up (actually, it will find it, but it will think its an actual system account, and it will try to treat it as such...which won't work, and will give you the error message about it not being found).
How I've gotten it to work is:
In SQL Server Management Studio, look for the Security folder (the security folder at the same level as the Databases, Server Objects, etc. folders...not the security folder within each individual database)
Right click logins and select "New Login"
In the Login name field, type IIS APPPOOL\YourAppPoolName - do not click search
Fill whatever other values you like (i.e., authentication type, default database, etc.)
Click OK
As long as the AppPool name actually exists, the login should now be created.
CREATE LOGIN [IIS APPPOOL\MyAppPool] FROM WINDOWS;
CREATE USER MyAppPoolUser FOR LOGIN [IIS APPPOOL\MyAppPool];
You can solve like this,
Open "Applications Pools",
You should right click that you have choosed application pool. Then choose
"Advanced Settings".
Click three point on the Identity tab then you should choose "LocalSystem" from field of "Built-in-account"
If you do this way, you don't need to create a user in database.
If you're going across machines, you either need to be using NETWORK SERVICE, LOCAL SYSTEM, a domain account, or a SQL 2008 R2 (if you have it) Managed Service Account (which is my preference if you had such an infrastructure). You can not use an account which is not visible to the Active Directory domain.
As a side note processes that uses virtual accounts (NT Service\MyService and IIS AppPool\MyAppPool) are still running under the "NETWORK SERVICE" account as this post suggests http://www.adopenstatic.com/cs/blogs/ken/archive/2008/01/29/15759.aspx. The only difference is that these processes are members of the "NT Service\MyService" or "IIS AppPool\MyAppPool" groups (as these are actually groups and not users). This is also the reason why the processes authenticate at the network as the machine the same way NETWORK SERVICE account does.
The way to secure access is not to depend upon this accounts not having NETWORK SERVICE privileges but to grant more permissions specifically to "NT Service\MyService" or "IIS AppPool\MyAppPool" and to remove permissions for "Users" if necessary.
If anyone has more accurate or contradictional information please post.
Look at: http://www.iis.net/learn/manage/configuring-security/application-pool-identities
USE master
GO
sp_grantlogin 'IIS APPPOOL\<AppPoolName>'
USE <yourdb>
GO
sp_grantdbaccess 'IIS APPPOOL\<AppPoolName>', '<AppPoolName>'
sp_addrolemember 'aspnet_Membership_FullAccess', '<AppPoolName>'
sp_addrolemember 'aspnet_Roles_FullAccess', '<AppPoolName>'
This may be what you are looking for...
http://technet.microsoft.com/en-us/library/cc730708%28WS.10%29.aspx
I would also advise longer term to consider a limited rights domain user, what you are trying works fine in a silo machine scenario but you are going to have to make changes if you move to another machine for the DB server.
I figured it out through trial and error... the real chink in the armor was a little known setting in IIS in the Configuration Editor for the website in
Section: system.webServer/security/authentication/windowsAuthentication
From: ApplicationHost.config <locationpath='ServerName/SiteName' />
called useAppPoolCredentials (which is set to False by default. Set this to True and life becomes great again!!! Hope this saves pain for the next guy....
In my case the problem was that I started to create an MVC Alloy sample project from scratch in using Visual Studio/Episerver extension and it worked fine when executed using local Visual studio iis express.
However by default it points the sql database to LocalDB and when I deployed the site to local IIS it started giving errors some of the initial errors I resolved by:
1.adding the local site url binding to C:/Windows/System32/drivers/etc/hosts
2. Then by editing the application.config found the file location by right clicking on IIS express in botton right corner of the screen when running site using Visual studio and added binding there for local iis url.
3. Finally I was stuck with "unable to access database errors" for which I created a blank new DB in Sql express and changed connection string in web config to point to my new DB and then in package manager console (using Visual Studio) executed Episerver DB commands like -
1. initialize-epidatabase
2. update-epidatabase
3. Convert-EPiDatabaseToUtc
For the ApplicationPoolIdentity, add a login/user in MSSQL as IIS_IUSRS which is corresponding to the default pool.