A couple of days ago I was using ASP.NET WebForms and the new ReportViewer control to put together a quick demo for rendering SQL Server Reporting Services (SSRS) reports right in your web application.

If you're not familiar with the ReportViewer control, Thom Robbins put together a great screencast to introduce the ReportViewer control.

How I used the control

I was running the control in remote mode - meaning it pulls the reports down from a fully managed SSRS installation, and then renders them directly in the web browser - all from within my application. I was also using Windows Authentication because the client required it.

Anyhow, everything worked beautifully on my local dev box VM, but when I pushed it out to a staging server it was a no-go.

The request failed with HTTP status 401: Unauthorized.

Time to do some Googling! As luck would have it - or maybe not - this seems to be a pretty common issue so there are a lot of blogs, mailing lists, forums, etc... talking about it. 

I quickly realized this was an authentication issue and because my web app and Reporting Services were both using Windows Authentication there seemed to be a disconnect in the authentication mechanism.

Some possible solutions?

I happened across a blog post by Russell Christopher where he explains in great detail how to make the ReportViewer impersonate the logged in user so that when it hits SSRS it will pass along the user's credentials - as opposed to passing along the YOURMACHINENAME\ASPNET credentials that ASP.NET usually runs with.

In the end I didn't end up using his code because I didn't need to dynamically swap the identity, I just needed to be sure to pass along credentials for a user that had rights to SSRS. To do that all I needed to do was edit my web.config and add the following element under the system.web section:

<identity impersonate="true" />

After making the change I tried to view the report again and... same error, doh!

After another hour (or so) of searching and trying various fixes I finally came across an article by Greg Van Mullem that explains how to configure SSRS to run in a non-Default web site. The key piece of information I culled from Greg's guide was all the way at the bottom in Step 7.3 - Disable loopback checking.

I realize the error message I was getting isn't listed under the Symptoms in the Microsoft KB article but I figured I might as well try it as nothing else was working. So I fired up RegEdit, made my way to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa and, created a new DWORD named DisableLoopbackCheck with a value of 1.

Is it working yet?

After that I tried to view the report once more and... Bingo! I was back in business.

I then proceeded to revert all changes I had made one at a time and retest the report viewer. In the end, the only changes I needed were the two described in this post.

1. Set your ASP.NET application to impersonate the logged in user
2. Modify the registry - adding the DisableLoopbackCheck key.

Hopefully you can take a little knowledge away from this post and save yourself a little time and a lot of frustration. Good luck!