Non Domain User Access to Report Server

HI Team,
I am Back with another question. These days i am working on SSRS web services as a part of that i need to provide user access to non domain users to the report manager which is residing in a virtual machine and also when i use the report service web service
URL it is asking for virtual machine's windows credentials and as per my client's requirement i should not be prompted with VM'S windows credentials.
Also, we are providing end users with a login page and this login page is connected to a separate User's database in the VM and how to register these non domain users in the report server database
and also reort manager. please help me out of this issue.
Thank you.

Hi NB515,
In Reporting Services, if we connect to Report Manager out of domain, then we need provide a domain username and password can we access to it. If you want to skip this step, you can configure anonymous access for the report server. However,anonymous access
is not recommended as it may give direct access to your report server or report projects to any one who know the URL of your Reporting Services. But in case you still want to try it, you can refer to the link below to see it:
http://blog.quasarinc.com/ssrs/sql-server-reporting-services-2012-anonymous-access/
If you have any questions, please feel free to ask.
Regards,
Charlie Liao
TechNet Community Support

Similar Messages

"Unable to check revocation" error while checking CDP from non-domain user account

Hi!
I use 3-tier PKI infrastructure:
Stand-alone offline Root CA: RootCA;
Stand-alone offline Intermediate subordinate CA: SubCA;
Enterprise CA: EntSubCA.
In certificate we have three CDP point for CRL check:
ldap:///, http:// and file://
I have Windows 2008 R2 server joined to domain.
I use command certutil –verify –urlfetch <filename.cer> >check.txt for revocation checking of certificate.
When I use domain user account for revocation checking, all OK.
I have access to any CDP and all fine.
But when i use local server user account, I haven't access to ldap:/// and process failed although all other links is OK.
My question is "why check fail with non-domain user accout while other CDP point succesfully verifed"?
Here is the logfile from local user:
Issuer:
CN=EntSubCA
DC=DED
DC=ROOT
Subject:
CN=servername.domain_name
Cert Serial Number: 5a896145000300006ee2
dwFlags = CA_VERIFY_FLAGS_ALLOW_UNTRUSTED_ROOT (0x1)
dwFlags = CA_VERIFY_FLAGS_IGNORE_OFFLINE (0x2)
dwFlags = CA_VERIFY_FLAGS_FULL_CHAIN_REVOCATION (0x8)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN (0x20000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwRevocationFreshnessTime: 5 Days, 23 Hours, 15 Minutes, 48 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
NotBefore: 05.02.2015 20:03
NotAfter: 05.02.2016 20:03
Subject: CN=servername.domain_name
Serial: 5a896145000300006ee2
SubjectAltName: DNS Name=servername.domain_name
Template: Machine
70 e4 6b 16 05 a1 62 e3 6d 24 96 ff 44 74 ee a2 3e ce df 18
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?cACertificate?base?objectClass=certificationAuthority
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crt
---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?certificateRevocationList?base?objectClass=cRLDistributionPoint
Verified "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
Verified "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
OK "Base CRL (018d)" Time: 0
[1.0] file://\\ca\crl\EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[1.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[1.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[1.0.2] http://webserver/crl/EntSubCA.crl
OK "Base CRL (018d)" Time: 4
[2.0] http://webserver/crl/EntSubCA.crl
Failed "CDP" Time: 0
Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326)
[2.0.0] ldap:///CN=EntSubCA,CN=ca,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=DED,DC=ROOT?deltaRevocationList?base?objectClass=cRLDistributionPoint
Old Base CRL "Delta CRL (018d)" Time: 0
[2.0.1] file://\\ca\crl\EntSubCA.crl
Old Base CRL "Delta CRL (018d)" Time: 4
[2.0.2] http://webserver/crl/EntSubCA.crl
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 018d:
Issuer: CN=EntSubCA, DC=DED, DC=ROOT
33 af 4d be 0e 35 45 94 bc 8b 3f d9 c1 60 e7 0c c4 83 17 b6
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=SubCA
NotBefore: 13.11.2014 19:12
NotAfter: 13.11.2017 19:22
Subject: CN=EntSubCA, DC=DED, DC=ROOT
Serial: 6109015b000100000008
Template: SubCA
9b 04 17 9f c5 fe 52 ca a5 58 49 6c c6 18 fa db 13 b3 92 9e
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The network path was not found. 0x80070035 (WIN32: 53)
file://\\sub_ca\CertEnroll\sub_ca_SubCA(1).crt
Verified "Certificate (0)" Time: 0
[1.0] file://\\ca\crl\SubCA.crt
Verified "Certificate (0)" Time: 4
[2.0] http://webserver/crl/SubCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (32)" Time: 0
[0.0] file://\\ca\crl\SubCA.crl
Verified "Base CRL (32)" Time: 4
[1.0] http://webserver/crl/SubCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 32:
Issuer: CN=SubCA
8d a9 9d 51 65 a3 8e 77 02 22 40 57 62 70 e8 f6 c5 2e 60 1e
CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 28.05.2008 12:09
NotAfter: 28.05.2058 12:19
Subject: CN=SubCA
Serial: 616bd19f000100000004
Template: SubCA
06 d2 47 e7 dc 8f a7 97 a2 b8 c3 92 03 19 24 0c 47 45 22 14
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 4
[0.0] http://webserver/crl/RootCA.crl
Verified "Base CRL (1c)" Time: 0
[1.0] file://\\ca\crl\RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=RootCA
NotBefore: 27.05.2008 16:10
NotAfter: 27.05.2110 16:20
Subject: CN=RootCA
Serial: 258de6fbd3bbab92460530e9e9f10536
5d e4 56 38 13 0a 52 aa 66 51 25 61 19 33 c9 d7 a2 c7 dd 38
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
---------------- Certificate AIA ----------------
Verified "Certificate (0)" Time: 0
[0.0] file://\\ca\crl\RootCA.crt
Verified "Certificate (0)" Time: 4
[1.0] http://webserver/crl/RootCA.crt
---------------- Certificate CDP ----------------
Verified "Base CRL (1c)" Time: 0
[0.0] file://\\ca\crl\RootCA.crl
Verified "Base CRL (1c)" Time: 4
[1.0] http://webserver/crl/RootCA.crl
---------------- Base CRL CDP ----------------
No URLs "None" Time: 0
---------------- Certificate OCSP ----------------
No URLs "None" Time: 0
CRL 1c:
Issuer: CN=RootCA
dc 98 2f 8d 16 9c 64 6e b2 74 89 95 9a 6c 1b 77 fd 58 63 fb
Issuance[0] = 1.2.700.113556.1.4.7000.233.28688.7.167403.1102261.1593578.2302197.1
Exclude leaf cert:
5b 8d 96 39 f8 a3 6f af f3 89 bc 8d 78 e2 da 53 21 b8 ff aa
Full chain:
ca 99 30 47 9b ad ab ce 97 cc 70 80 a5 4e 11 b3 1a 83 98 78
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2 Client Authentication
1.3.6.1.5.5.7.3.1 Server Authentication
ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the revocation server was offline.
CertUtil: -verify command completed successfully.

What you have discovered is the reason to *not* use LDAP URLs for CDP and AIA extensions in your PKI. To access those URLs, the account must access to the URLs. In your output, it is quite clear that the local account does not have necessary permissions
(you also use FILE URLs for publication, which again is not recommended).
The best practice is to use a single URL for the CDP extension. It should be an HTTP URL that is hosted on a highly available (internally and externally accessible) Web cluster.
For the AIA extension, it should contain two URLs: one for the CA certificate - again to an internally and externally accessible, highly available Web cluster and one for the OCSP service - also
an internally and externally accessible, highly available Web cluster.
the other issue is that the root CA is *not* trusted when run by a non-domain account. How are you adding the trusted root CA. It is recommended to do this by running
certutil -dspublish -f RootCA.crt.
This will ensure that the computer account trusts the root CA. In your output, the root CA certificate is not trusted.
Brian

Error in Accessing the Report Server URL

Hi All,
I am trying to access the Report Server URL in PowerPivot.But facing below issue .Can any one help me how can I solve the issue
Thanks,
Sid

Hi Visakh,
Yes,The user is holding the permission as "Global User" in sql.Hope you help me in solve this issue
Thanks, Quality Communication Provides Quality Work. http://siddiq-sharepoint2010.blogspot.in/ Siddiqali Mohammad .
Hi siddiqali,
According to the screenshot you posted above, the use account didn't have sufficient permission to open the report, please check the following prerequisites before you perform the action:
You must use a report definition (.rdl) file as a data source. Importing from a report model is not supported.
You must have permission to open the report under your Windows user account, and you must know the address of the report or the report server that hosts it. You can check your permissions by trying to open the report in a Web browser first.
If the report opens, it confirms that you have sufficient permissions and the correct URL.
Reporting Services must be version SQL Server 2008 R2 or SQL Server 2012. Those versions include the data feed export feature that streams report data in the XML data feed format. You can identify the report server by the Export as Data Feed option
that appears in the report toolbar when you open the report in browser:
For detail information, please see:
Import Data from a Reporting Services Report:
http://technet.microsoft.com/en-us/library/gg413491.aspx
Regards,
Elvis Long
TechNet Community Support

Can users access iPlanet Calendar Server 2.0 (iCS 2.0) from anywhere?

Can users access iPlanet Calendar Server 2.0 (iCS 2.x) from anywhere?
<P>
Regardless of whether you are a remote user, mobile user, or in the
office every day, you need access to your calendaring information anytime from
anywhere. iCS 2.x provides a personal calendar and event solution that can be
any device that includes a web browser. iCS 2.x works with other Alliance
solutions such as Sun Internet Mail Server and Netscape Messaging Server
software to ensure complete access to your calendar data regardless of location,
platform, or browser.

Hi,
Thank you for your suggestion. I have tried with your option also. Still I am getting the second time userid/password dialogue box.
Is there any other solution to avoid the second time user authentication dialogue box?
Do you want to see the ACL file?
Thanks & Regards,
Murthy

Non Domain computers accessing Report Manager.

I'm using SQL 2012 and am having a hard time finding documentation on how to turn off authentication for the Report Manager. All i want to do is having some computers that are not on our domain be able to pull up a report without getting prompted with
login info.
SSRS is not installed with sharepoint mode.
I found this: http://msdn.microsoft.com/en-us/library/cc281383.aspx but had little luck getting it to work.

Hello,
SSRS uses by Default Windows authentication, but you can change it to anonymous access:
Configure Basic Authentication on the Report Server
Olaf Helper
[ Blog] [ Xing] [ MVP]

Non-domain computer cannot connect to server

I have a unique issue.
I have a Windows 2008 server running Exchange 2010 (all roles on single server )
I have a Windows 7 Pro client that is not a member of the domain.
When setting up Outlook 2010 I enter user's name, email address and password. The system starts configuring, it successfully searches for [email protected] settings. It then prompts for credentials. I cannot get it to take them.
However, If I user the domain admin account I can successfully setup the domain admin email in Outlook. I just cannot do it with a standard user.
Also, I noticed that this non-domain computer can access domain member server if I provide credentials (domain\username). This does not work with this or any of my other Windows 2008 servers.
I have been fighting this with no relief in sight...
Thanks
Wayne

Let me be clear about my symptoms.
Exchange with domain joined computers autodiscover/Outlookworks fine....
DC's and exchange server all have same time/date otherwise nobody would be able to authenticate.
The problem only exists with non-domain computers (both within the network and outside of the network)
The autodiscover tests fine with exchange connectivity tester. I cannot test outlook as I have a certificate from an untrusted root that is installed manually on the non-domain computers.
The non-domain computers can connect to windows 2003 member server (with appropriate domain credentials) but not to this 2008 (or the other 2 2008 member servers)
Update- If I configure the domain administrator account on that same non-domain connected machine, it retrieves the domain admin email just fine.....

Allowing users access to SQL Server 2014 analysis server cubes

I am using SQL Server 2014 analysis server and have created a number of cubes. These all function as expected however it seems that only windows users who are in an
administrator group can get access. All other users are denied access with the very vague error of 'Communication error'.
If I then add that user to our administrators group within the windows domain they instantly get access. I have defined roles for each cube (within analysis services) and then added both individuals (i.e. their windows domain user id) as well as their windows
domain groups to these roles but they still cannot get access - just get the error 'Communication error'.
I am using ADOMD on the client side which I know works because users in the administrators group can see the data. I have granted cube permissions using Management studio however no matter what front end we use (either our own App or EXCEL) if the user in
question is NOT in the administrator group in the domain they cannot get access to any of the cubes.
Any help anyone can provide would be much appreciated.

Hamishr,
According to your description, you want to grant the access permission to cube for the users who are not belong to Administrator group, right?
By default, no one except a Server Administrator or Database Administrator has permission to query cubes in a database. Cube access by a non-administrator requires membership in a role created for the database containing the cube. Membership is supported
for Windows user or group accounts, defined in either Active Directory or on the local computer. So in your scenario, please ensure the steps to grant permission are correct, you can refer to the link below check it.
http://msdn.microsoft.com/en-in/library/ms174799.aspx
Regards,
Charlie Liao
TechNet Community Support

Domain users creation for BizTalk server 2013 installation

Hi all,
I am setting up biztalk 2013 environment clustered BizTalk server and single sql server. I would like to know the list of domain users and domain groups to be created and which groups these users to be a member of. I am also installing and would be using
Sharepoint to develop BizTalk interfaces.
Thanks
Please Help
Vikram

Hi Vikram ,
You need to create below Windows group on your AD before you start your BizTalk Configuration .
1)SSO Administrators:Administrator of the Enterprise Single Sign-On (SSO) service.
2)SSO Affiliate Administrators :Administrators of certain SSO affiliate applications.Can create/delete SSO affiliate applications, administer user mappings, and set credentials for affiliate application users.
3)BizTalk Server Administrators:Has the least privileges necessary to perform administrative tasks Can deploy solutions, manage applications, and resolve message processing issues.
To perform administrative tasks for adapters, receive and send handlers, and receive locations, the BizTalk Server Administrators must be added to the Single Sign-On Affiliate Administrators.
4)BizTalk Server Operators:Has a low privilege role with access only to monitoring and troubleshooting actions
5) BizTalk Application Users:The default name of the first In-Process BizTalk Host Group created by Configuration Manager.Use one BizTalk Host Group for each In-Process host in your environment.Includes accounts with access to In-Process
BizTalk Hosts (hosts processes in BizTalk Server, BTSNTSvc.exe).
6)BizTalk Isolated Host Users :The default name of the first Isolated BizTalk Host Group created by Configuration Manager. Isolated BizTalk hosts not running on BizTalk Server, such as HTTP and SOAP.Use one BizTalk Isolated Host Group for
each Isolated Host in your environment.
7)BAM Portal Users :Has access to BAM Portal Web site.
8)BizTalk SharePoint Adapter Enabled Hosts :Has access to Windows SharePoint Services Adapter Web Service
9)BizTalk B2B Operators Group : A new BizTalk role that reduces the onus on the Administrators to perform all Party management operation. This role allows windows users associated with the role to perform all party management operations.
Now coming to domain User , you can have single -multiple setting were you can run SSO ,InProcess and Isolated on different domain user . You can also run all the configuration settings on single user as well .
Thanks
Abhishek

Cannot connect to SERVER. Login failed for user 'DOMAIN\user'. (Microsoft SQL Server, Error 18456) - SQL Server 2012 on Windows Server 2008 R2

I've seen multiple blogs and forums with similar problems and SQL 2012 or 2008. But no solutions that work for me.
I have installed SQL Server in mixed mode (SQL and Windows authentication). I can create new Login accounts in either mode. However, I cannot get an AD security group Login account to work. I am trying to add group 'DOMAIN\Domain Admins' or 'SERVER\Administrators'
as a Login so that any of the domain's administrator accounts can open SQL Server Management Studio and act as an 'sa' account on this server.
I have deleted the SQL account 'DOMAIN\Domain Admins'.
I have restarted SQL.
I have restarted the Win2K8r2 server.
I have launched SSMS as Administrator from the desktop of SERVER.
I have launched SSMS as another user (and used 'DOMAIN\user' to lauch it) from the desktop of SERVER.
I can create a login account named 'DOMAIN\user' (who happens to be a member of the 'DOMAIN\Domain Admins' group) and give this account 'sa' security, and when I do that, this account works as expected...
How do I add a security group as a Login account and give all members of that group the ability to be an 'sa' account?

Hi geoperkins,
Are you getting the following error message?
Error: 18456, Severity: 14, State: 11
Login failed for user <Domain\user>. Reason: Token-based server access validation failed with an infrastructure error.
If that is the case, the issue could be due to that the Windows login has no profile or that permissions could not be checked due to UAC. Please disable UAC firstly and check if it is successful to log in SQL Server.
Another reason could be that the domain controller could not be reached. You may need to resort to re-creating the login. Create a new group in AD, add users to the new group, then add the group to the local admin group and create login for the group in SQL
Server.
There is a connect item describing similar issue for your reference.
https://connect.microsoft.com/SQLServer/feedback/details/680705/cant-login-to-sql-using-windows-authentication-when-user-is-in-a-domain-security-group
For more details about above error, please review the following blog.
http://sqlblogcasts.com/blogs/simons/archive/2011/02/01/solution-login-failed-for-user-x-reason-token-based-server-access-validation-failed-and-error-18456.aspx
Thanks,
Lydia Zhang
Lydia Zhang
TechNet Community Support

Non-domain user authentication against SSAS on Active/Passive Cluster

Hello,
We have an Active/Passive SQL Server setup (DB1 & DB2 Servers) connected to a cluster for SQL & SSAS. I have a web server not on the same domain that I am trying to authenticate with SSAS. This works OK if I set the website to impersonate
myUser and I add local account myUser as an Admin on SSAS for the active server (DB1). But when this fails over to DB2 then it fails to authenticate. SSAS won't allow us to add myUser as an admin for local accounts on both DB1 & DB2 as it errors
adding the second one. Could anyone advise how such a scenario should be approached?
We have tried creating a domain user too which DB1 & DB2 can of course both share but I don't think the web server can impersonate this with being not part of the domain.
Thanks.

Hi Jcorker,
According to your description, you need to access the SQL Serve Analysis Services database which is configured as cluster for SQL & SSAS from another domain, right?
In SSAS we can use the solution below achieve the requirement.
1.Create new domain account and impersonate the web site with that.
2.Create local user account on the analysis service with same exact username/password as like domain account created in the previous step.
However, you cannot create a local account with the same name on both servers. I have tested it on my local environemnt, we can create the same local account with the same name on both servers. In your scenario, if DB1 and DB2 on different server, you can
create a local account with the same name on both servers. Please post the detail errors, so that we can make further analysis.
Besides, SSAS only allows users of the same domain or trusted domains and it does not allow users from any domain except from these two. You can configure the trust relationship between the domains.
http://technet.microsoft.com/en-us/library/cc961481.aspx
Regards,
Charlie Liao
If you have any feedback on our support, please click
here.
Charlie Liao
TechNet Community Support

Non-Domain joined clients connect to server initially but cannot connect via Launchpad

Running SBS 2011 Essentials in a small office. Running XP/Vista/7 clients. All working fine until we swapped routers. Old router died, new router was installed.
Now all domain-joined PC's connect as normal, but all NON-Domain-Joined PC's cannot access the server via the launchpad. I get the "The server appears to be offline. Do you want to sign in to offline mode?" box.
Tried removing PC from the SBS Dashboard, uninstalling the connector from the client, restarting client, and reinstalling the connector. I can install the connector (using
http://<server ip>/connect , but not http://<servername>/connect
). Connector installs but it still tells me the server is offline when trying to use dashboard or launchpad on the client.
Note: I can add a network location or Map a network drive to ther server after inputting my network password from Windows.
Any Services to check? Firewalls exceptions to ensure? Advice?
EDIT: Dashboard on Server shows Client, sometimes as online, sometimes as offline.

Sounds like name resolution issue to me.
Are all your clients set to use the IP of the Essentials Server for their primary DNS?
Robert Pearman SBS MVP
itauthority.co.uk |
Title(Required)
Facebook |
Twitter |
Linked in |
Google+

How to allow non domain users to map to print drivers?

Greetings,
We have a Windows Server 2008 (non R2) 32 bit server that acts as print server. It's also on a domain. Users who are on the domain can easily add the print driver simply by going to device and printers and clicking Add Printer and selecting Network since
I list it in the AD.
The problem arise with well over 100 realtors that walk in and out and need to print. These users are not on the domain. They need to have the print drivers on their computers. I'm hoping we can at least get them to map to the drivers as opposed to unending
local installs.
The management does not want to hear about security, and wants the simplest possible way for their realtors to get up and printing from their computers when they arrive to the office.
Any advice is welcomed.
Thank you!

In the end they got a domain user account that they share to add printers...
Thanks for sharing in the forum. Your time and efforts are highly appreciated.
Best regards,
Justin Gu
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Disable http access to report server

Hello,
I am using sql reporting services 2008.
I use report viewer control (inside aspx page).
i.e www.mydomain.com/report1.aspx (inside the code contains report1.rdl).
That's the only way I want users to access any report.
Currently, I can still surf into http://www.mydomain.com/reportserver, type credentials and view reports.
I want to disable it totally so that if I try to browse into http://www.mydomain.com/reportserver I will get 404 or 401.
How can I do that?
Thank you

Open "Reporting Services Configuration Manager", go to tab "Report Manager URL", click on "Advanced" and remove the port to listen on; or use a "non-Default" port different to 80
Olaf Helper
[ Blog] [ Xing] [ MVP]

Lync for Mac 2011 - non-domain user logins

How can a non-domain (external) mac user join a lync meeeting? We've installed the client, they have a live.com account (and a skype login if that can help), but we can't login using their live.com id, always returning a failed login error message (check
password, username ...).
Authentication is set to non kerberos, manual config, using TLS with this server:
sipdir.online.lync.com:443
logs follow:
Microsoft Lync 14.0.7 (131205)
MacOS version 10.9.1 (build 13B42)
2014/02/25 21:16:49.330 SIPService::OnEvent(IApplicationLayerEvent &), type: 0, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:16:50.075 SIPService::OnEvent(NModel::ILogonSessionEvent), hr: 0x0, oldState: 0, newState: 10, direction: 0
2014/02/25 21:16:50.082 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:16:50.084 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.477 Office Communications Server LOGON STARTED: USER = {[email protected]}
2014/02/25 21:18:00.478 SIPService::Logon
2014/02/25 21:18:00.514 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.755 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.756 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.762 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.762 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.764 SIPService::OnEvent(IApplicationLayerEvent &), type: 3, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.764 SIPService::OnEvent(IApplicationLayerEvent &), type: 1, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:00.785 SIPService::OnEvent(NModel::ILogonSessionEvent), hr: 0x0, oldState: 10, newState: 20, direction: 0
2014/02/25 21:18:00.817 InternalConnect, NLResolveAddress returned: 0
2014/02/25 21:18:00.819 IsLocalAddress, 'sipdir.online.lync.com' is not a local address
2014/02/25 21:18:00.819 FShouldUseProxy, is returning 1
2014/02/25 21:18:00.819 Connecting to sipdir.online.lync.com (port 443)
2014/02/25 21:18:01.513 InternalConnect, NLCreateConnection returned: 0,
2014/02/25 21:18:01.514 InternalConnect, NLCopyConnectionBinding returned: 0,
2014/02/25 21:18:06.041 FShouldUseProxy, is returning 1
2014/02/25 21:18:06.836 FShouldUseProxy, is returning 1
2014/02/25 21:18:10.802 SIPService::OnEvent(ILogonCredentialManagerEvent), type: 0
2014/02/25 21:18:10.802 Login (1) failed with error: (0.0)
2014/02/25 21:18:10.976 SIPService::OnEvent(ILogonCredentialManagerEvent), type: 6
2014/02/25 21:18:10.983 SIPService::OnEvent(NModel::ILogonSessionEvent), hr: 0x80ef0191, oldState: 20, newState: 10, direction: 1
2014/02/25 21:18:10.983 void SIPService::OnLogoffResult(HRESULT), hr: 0x80ef0191
2014/02/25 21:18:10.986 void SIPService::LogoffEx()
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 2, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 4, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 6, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.987 SIPService::OnEvent(IApplicationLayerEvent &), type: 4, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.988 SIPService::OnEvent(IApplicationLayerEvent &), type: 6, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.988 SIPService::OnEvent(IApplicationLayerEvent &), type: 4, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.990 SIPService::OnEvent(IApplicationLayerEvent &), type: 8, HasSignedIn(): 0, HasSignedOut: 0
2014/02/25 21:18:10.998 SIPService::OnEvent(IApplicationLayerEvent &), type: 6, HasSignedIn(): 0, HasSignedOut: 0

Judging by your post (because you are using sipdir.online.lync.com) are you a Lync Online subscriber? Or does the user only have a Windows Live/Skype account?
Basically if you're using Lync Online, you can just sign-in using your Lync Online user name, which will either be something like [email protected] or if you have set custom domains it will just be [email protected]
It won't work with Skype/Windows Live accounts.
If you have an on-premise Lync externally you will connect through your Edge with the Mac client, or if inside the LAN you may need to install the root certificate from your internal Certificate Authority if you're using an internal issued rather than public
(GoDaddy, Verisign, Digicert, etc.) certificate.
If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer" | Blog
www.lynced.com.au | Twitter
@imlynced

Domain Users access to Remote Desktop Apps fails

Can somebody bring a light to this issue?
Our domain users are getting NO apps from the collection, when they should get at least the Full MS Office 2013 Pro apps suite that was published to the collection without any user restrictions...
Are they supposed to be member of the RDP Group or what else we missed during the settings?
Also, when trying to access from IE using the link https:// [FQDN] /rdweb/feed/webfeed.aspx (FQDN omitted for security reasons) they get a prompt to download the file "WebFeedlogin.aspx" as son as they successfully authenticate with their
credentials...
FYI: All users member of Domain Admin group are working just fine...
Thank you in advance for your time and effort to solve this! ;)

Hi Marcio,
Thank you for posting in Windows Server Forum.
After going through your comment, I would say that to access RemoteApp by user they must be member of Remote Desktop User local group also. Apart you can go through below article for configuration related setting.
- Introducing RemoteApp User Assignment
- Step by Step Windows 2012 R2 Remote Desktop Services – Part 4
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Non Domain User Access to Report Server

Similar Messages

Maybe you are looking for