SSRS, Data Sources, Stored Credentials, and Service Accounts
I was helping with the setup of a new SSRS instance on our servers recently and was puzzled when we tried to configure the data source. I wanted to set up a shared data source with a service account that would have the appropriate permissions. All reports were going to be automated – no direct user access. Security in that case wasn’t a huge concern. I pulled up the data source in the Report Manager, entered the credentials, and tested the connection, only to be given a “Login Failed” message.
I checked my username and password – both correct. I tried my credentials – they worked. I tried the service account again – failure. I verified the service account’s permissions on the target server – correct. Finally, I dug into the Event Logs and noticed that the service account was requesting an interactive login when it failed. I played around with different groups and found that it would work if in the Administrators group. Not wanting to leave it there, I removed it from the group and did some more digging.
I found this article on MSDN that indicated the accounts used for stored credentials needed both “Allow Log On Locally” and “Log On As a Batch Job” permissions.
I launched “secpol.msc” from a Run dialog and checked the Local Policies –> User Rights Assignments. This showed me that the only group/user allowed to log on locally was the Administrators group. I changed that to add this one service account. I checked the groups allowed to log on as a batch and verified that this account was included in one of the allowed AD groups. After setting this permission in the security policy, I tried again – this time to a “Success” message.