SSRS2：Reporting Service 配置Service Account

1，Service Account

SSRS以一个Service方式实现，有三部分组成：Web Service，Report Manager和一个后台的进程，这个Service运行的账号就是Service Account。虽然Report Server Web service and Report Manager都是Asp.net应用程序，但是他们并不运行在Asp.net应用程序的 Account下，Report Server Web service and Report Manager 使用的都是Service Account，并且拥有相同的Process Identity。

Reporting Services is implemented as a single service that contains a Report Server Web service, Report Manager, and a background processing application that is used for scheduled report processing and subscription delivery.

In a Reporting Services installation, the Report Server Web service, Report Manager, and the background processing application run within a single service. The account under which the service runs is defined during Setup when you specify the account in the Service Identity page, but you can use the Reporting Services Configuration tool if you want use a different account or update the password.

Use the Service Account page to specify the account under which the Report Server service runs. This account is initially configured during Setup. You can modify it if you want to change the account or password. The Report Server Web service, Report Manager, and the background processing application all run under the service identity you specify on this page.

The Report Server service account is defined during Setup. You can run the service under a domain user account or a built-in such as NetworkService account. There is no default account; whatever account you specify in the Server Configuration - Service Accounts page of the Installation Wizard becomes the initial account of the Report Server service.

                                                                      Important

Although the Report Server Web   service and Report Manager are ASP.NET applications, they do not run under   the ASP.NET account. The single service architecture runs both ASP.NET   applications within the same Report Server process identity. This is an   important change from previous releases, where both the Report Server Web   service and Report Manager ran under the ASP.NET worker process identity   specified in IIS.

在IIS的 Application Pool 中配置 Identity，即Web application运行的account。

Service Account是SSRS运行的账号，可以在Services中查看Reporting Services的Properties。

2，Service Account的作用和权限

Service Account必须能够访问和注册Report Server Database。

The account you specify for the Report Server service requires permission to access the registry, report server program files, and the report server database. All permissions are configured for the account automatically when you use the Reporting Services Configuration Manager to set the account. If you use the service account to connect to the report server database, the Configuration Manager creates a database login for the account and configures database permissions by assigning the account to the RSExecRole on the SQL Server instance that hosts the report server database. The report server database is the only data store that a report server writes to. The service account does not require permissions to any other data stores.

3，Change Service Account

推荐使用Reporting Services Configuration Manager修改Service Account。

Whenever you need to update the account or password, it is strongly recommended that you use the Reporting Services Configuration Manager. Using the Configuration Manager to update the account ensures that other internal settings that depend on the service identity are automatically updated at the same time.

Use a built-in account

Select Network Service, Local System, or Local Service from the list. Only Network Service is recommended; however, you can configure the account to use any account that is available.

Use another account

Select this option to specify a Windows user account. You can enter a local Windows user account or domain user account. Specify a domain account in this format: <domain>\<user>. Specify a local Windows user account in this format: <computer name>\<user>. You can only select an existing account; you cannot create new accounts in Reporting Services Configuration.

The maximum character limit on the account is 20 characters.

If your network uses Kerberos authentication and you configure the report server to run under a domain user account, you must register the service with the user account. For more information, see Register a Service Principal Name (SPN) for a Report Server.

4，切换账号时，必须备份encryption key，并指定加锁和解锁的密码。

If you switch the account type (for example, replacing one Windows account with another or replacing a built-in account with a Windows domain account), you will be prompted to create a backup copy of the encryption key. The backup copy will be restored automatically when you select the new account.

     Note

The Reporting Services Configuration manager prompts you   to back up and restore the encryption key whenever you modify the service   account. These steps are necessary for ensuring that encrypted data remains   available to the report server. For more information about these actions, see   Encryption   Keys (SSRS Native Mode).

Additionally, if you have a report server that is configured to run in SharePoint Integrated mode and you change the service account by using the Reporting Services Configuration Manager, you must also open SharePoint Central Administration and use the Reporting Services Grant Database Access page to re-apply the report server and instance settings. This step will grant the new service account access to the SharePoint databases, which is required for integrating Reporting Services with a SharePoint product or technology. For more information about how to grant database access in SharePoint Central Administration, see Configuration and Administration of a Report Server (Reporting Services SharePoint Mode) and Reporting Services SharePoint Mode Installation (SharePoint 2010 and SharePoint 2013).

5，Choosing an Account

For best results, specify an account that has network connection permissions, with access to network domain controllers and corporate SMTP servers or gateways. The following table summarizes the accounts and provides recommendations for using them.

Account	Explanation
Domain user accounts	If you have a Windows domain user account that has the   minimum permissions required for report server operations, you should use it. A domain user account is recommended because it isolates   the Report Server service from other applications. Running multiple   applications under a shared account, such as Network Service, increases the   risk of a malicious user taking control of the report server because a security   breach for any one application can easily extend to all applications that run   under the same account. A domain user account is required if you are configuring   the report server for constrained delegation, or for SharePoint integrated   mode with SharePoint 2010 Products which require domain user accounts rather   than built-in machine accounts. Note that if you use a domain user account, you will have   to change the password periodically if your organization enforces a password   expiration policy. You might also need to register the service with the user   account. For more information, see Register a   Service Principal Name (SPN) for a Report Server. Avoid using a local Windows user account. Local accounts   typically do not have sufficient permission to access resources on other   computers. For more information about how using a local account limits report   server functionality, see Considerations   for Using Local Accounts in this topic.
Network Service	Network Service is a built-in least-privilege account that   has network logon permissions. This account is recommended if you do not have   a domain user account available or if you want to avoid any service   disruptions that might occur as a result of password expiration policies. If you select Network Service, try to minimize the number   of other services that run under the same account. A security breach for any   one application will compromise the security of all other applications that   run under the same account.
Local Service	Local Service is a built-in account that is like an   authenticated local Windows user account. Services that run as the Local   Service account access network resources as a null session with no   credentials. This account is not appropriate for intranet deployment   scenarios where the report server must connect to a remote report server   database or a network domain controller to authenticate a user prior to   opening a report or processing a subscription.
Local System	Local System is a highly privileged account that is not   required for running a report server. Avoid this account for report server   installations. Choose a domain account or Network Service instead.

6，Considerations for Using Local Accounts

The primary consideration for using local accounts is whether the report server requires access to remote database servers, mail servers, and domain controllers. If you configure the report server to run as a local Windows user account, Local Service, or Local System, you introduce considerations that must be factored into how you set other configuration settings, and on subscription creation and delivery:

• Running the service under a local      account will limit your options later if you configure a connection to a      remote report server database. Specifically, if you are using a remote      report server database, you will have to configure the connection to use a      domain user account or SQL Server database user that has permission to log      on to the remote SQL Server instance.
• Running the service under a local      account will introduce new requirements on subscription creation. The      report server stores information about the user who creates the      subscription. If the user creates the subscription while logged on under a      domain account, the Report Server service will try to connect to a domain      controller to authenticate the user when the subscription is processed. If      the service runs under a local account, the authentication request will      fail when the report server tries to send the request to a remote domain      controller. To work around this limitation, you can use a custom      forms-based authentication extension or have all users connect to a report      server under a local user account.
• Running the service under a local      account will introduce new requirements for subscription delivery. Some      delivery extensions have user account information in the subscription      definition. If you are sending reports to e-mail addresses that are based      on domain user accounts and you run the Report Server service under a      local account, it cannot access a remote domain controller to resolve the      target e-mail account.
• Built-in Windows service accounts      (Local Service or Network Service) are not supported as report server      service accounts on a computer that is a domain controller.