Impersonation Mode
CrissCross runs best in Impersonation Mode, whereby users log on to CrissCross as themselves via Windows Autentication and then the reports are also run as them.
Due to Windows authentication restrictions, Impersonation Mode works best when CrissCross in running on the actual SSRS server. It may be possible to run CrissCross in Impersonation Mode on other servers, but it would require Kerberos to make use of Kerberos double-hop authentication.
-
Run CrissCross on the SSRS server (see above)
-
In the web.config:
In <appSettings> set crisscross.ImpersonateLoggedOnUser to "true"
Further down in web.config, make sure that Authentication mode is "windows" and identity impersonate is set to true, like this:
<authentication mode="Windows"/>
<identity impersonate="true"/>
- Configure IIS for Windows authentication:
For IIS6 this means
- Go to the CrissCross virtual directory and right click to get Properties
- Go to the Directory Security tab
- Under 'authentication and access control' press Edit
- Under Authenticated Access make sure 'Integrated Windows Authentication' is ticked, like so:
For IIS7 this means
- Make sure the Windows Authentication option is installed (its optional in IIS7), see http://www.iis.net/ConfigReference/system.webServer/security/authentication/windowsAuthentication
- Click on the CrissCross app in IIS and then click the IIS -> Authentication option
- Turn on Windows Authentication and ASP.NET Impersonation, like this:
- When running in impersonation mode, IIS checks the users access rights against the files in the Virtual Folder and its sub-folders. Hence for impersonation to work, all users must have Read/Read+Execute/List Folder Contents rights on the CrissCross virtual folder and its sub-folders. Usually the easiest way to do this is via the generic 'Users' group.
For more notes see Using IIS Authentication with ASP.NET Impersonation
Switch to Fixed User Mode by:
- in the web.config:
In <appSettings> set crisscross.ImpersonateLoggedOnUser to "false"
and set
crisscross.FixedSsrsUsername
crisscross.FixedSsrsDomain
crisscross.FixedSsrsPassword
to a user that has access to the SSRS reports.
Further down in web.config, make sure that identity impersonate is set to false, like this:
<authentication mode="Windows"/>
<identity impersonate="false"/>
- Set CrissCross to use its own ApplicationPool and set the Application Pool to run using the same account as specified in crisscross.FixedSsrsUsername
Note that when you run from Visual Studio, CrissCross runs in VS's own mini web server and runs as the current user, which allows impersonation to work without kerberos/double-hop.