Microsoft Docs

Authentication

Reporting Services supports multiple authentication mechanisms:

• Windows Authentication (Kerberos, NTLM)
• Custom Authentication extensions
• Forms Authentication (via extensions)

Configure the authentication method in RSReportServer.config under the <Authentication> element.

<Authentication>
  <AuthenticationTypes>
    <add Type="Windows" />
  </AuthenticationTypes>
</Authentication>

Authorization

Control access to items (folders, reports, resources) using Role-Based Security (RBS). Built‑in roles include:

• System Administrator – full control over the server.
• System User – limited server‑wide permissions.
• Browser – view reports.
• Content Manager – create and manage items.

Assign roles via the Report Manager UI or PowerShell:

Set-RsItemSecurity -Path "/Sales" -Roles @("Browser") -UserNames @("DOMAIN\jdoe")

Encryption

Data transmitted between the client and server can be protected using HTTPS. Configure SSL bindings in IIS and update the Report Server URL.

Credentials for data sources can be stored securely using the built‑in encryption mechanism. The encryption key can be backed up via the Reporting Services Configuration Manager.

Auditing and Logging

Enable detailed logging to monitor access and usage:

• Report Server Execution Log (reportserver database)
• Windows Event Log – errors and warnings
• Custom logging via extensions

Sample query to retrieve execution details:

SELECT
    TimeStart,
    ReportPath,
    UserName,
    Format,
    Status
FROM
    ExecutionLog3
WHERE
    TimeStart > DATEADD(day, -7, GETDATE())
ORDER BY TimeStart DESC;

Best Practices

1. Use HTTPS for all client connections.
2. Enforce least‑privilege role assignments.
3. Regularly back up the encryption key and store it securely.
4. Enable and review the Execution Log on a weekly basis.
5. Apply the latest security patches for SQL Server and the OS.

For deeper guidance see the Security Best Practices article.