Friday, November 20, 2009

SRS, UAC, IE ESC to name a few abbreviations and a puzzle…

At a customers site I bumped into this puzzling issue: All servers are Windows Server 2008 SP2 based, with User Account Control (UAC) enabled. On one server I installed SQL 2008 SP1 with SQL Reporting Services (SRS). Also Internet Explorer Enhanced Security Configuration (IE ESC) is enabled by default for all users, admins included.

After having applied SP1 for SQL 2008 I always check SRS. Does it work? So I started IE and surfed to this address: http://localhost/reports. This is what I got:
image

Hmm. Looks almost good. SRS is working. Wait. Some buttons are missing!? Now what? So I set IE ESC for Users only. Still no luck. I set it back. I disabled Protected Mode. Still no luck. Set IE ESC for Users only again, so I have both adjustments now. Still no luck.

So I checked the settings in IE:
clip_image002

Seems OK to me. Then I added the site (http://localhost) to the list of sites for Local Intranet:
image

Closed IE, started IE and surfed to the SRS website. Still no luck! What about approaching this website from another server? I logged on to another server with the same credentials, started IE and surfed to the SRS website residing on the SQL server. Now I used the name of server instead of localhost (duh!). This is what I got:
image

That looks better. But strange it is since IE is set to this:
clip_image002[4]

And as we all know, Trusted Sites is more protected (more content is blocked) then Local Intranet, the setting on the SQL server itself! So why does it work from any other server but not from the SQL Server it self?

So time to use the internet. Found this posting of an SQL/SRS MVP but still no luck…

A colleague of mine came with an idea: Let’s run IE on the SQL server with elevated permissions. So I did. This is what I got:
image 

Okay, it is working. But still I am puzzled why without elevated permissions it works from any other server AND with higher security settings? Any one out there with an explanation, please step up and tell me. Since I am still puzzled here.

Good to know: Reporting installed fine since on Windows 2008 Server I run every installation with elevated permissions by default.

2 comments:

Thomas Vuylsteke said...

After reading your post, I took the time to write an explaining post myself.

http://setspn.blogspot.com/2009/11/explaing-uac-related-behaviour.html

Do not mind the look and feel of the blog. I'm giving blogging a second chance and I'm really in the process of moving posts and refurbishing the whole thing

Marnix Wolf said...

Hi Thomas.

Thanks for visiting my blog AND your answer. It has certainly helped me. Great posting!

Best regards,
Marnix Wolf