SQL Server Reporting Services and Crystal Reports:
A Competitive Analysis

Copyright 2005, Brian Bischof

Site Security - Forms Authentication

The most common method of securing ASP.NET sites is using Forms Authentication. A website has certain pages flagged as public access and other pages require secure access. When the user first attempts to access a secure page they are prompted to enter their login credentials. After successfully logging in a cookie is dropped in the user's browser and they can access all pages from that point forward with no additional logins.

Crystal Reports is fully compatible with ASP.NET Forms Authentication. Using reports within a secure website is a seamless experience for the user.

SSRS is not compatible with Forms Authentication. SSRS security is implemented by SSRS server using Windows authentication. Each user should have their own User Id and Password for the server. The Reporting Services server is located on a separate server from the application and requires separate authentication. This requires the user to log in prior to accessing reports even if they already logged in before. This scenario is OK for intranets where each user has their own login credentials and they don't mind hitting a different server to print reports. It isn't ideal for public websites that have a single login page for the entire site. It also isn't ideal if you want reports to appear as a seamless part of the web application.

The reason that SSRS reports can't be included within the web app is because the request is being generated from the client side and not within the report server. The report server tracks user authentication separately from the main application and the Forms Authentication cookie can't be shared between the two. It is possible to get around this limitation. You have to buy a license for the Enterprise edition of SQL Server ($20,000) and then learn the custom security API model. This is a very code intensive process and requires extensive debugging. Doing this means that you are replacing the built-in security model with your own custom built security model. You will also lose other features like workgroup management (unless you plan on rewriting that functionality as well). In a Microsoft webinar it was even suggested that if you want to get around the Forms Authentication problem then you could install SSRS outside your firewall.

< Prev Next >
Table of Contents
1. Executive Summary
2. Reporting Services Overview
3. Reporting Services Overall Impressions
4. Product Offerings and File Formats
5. Licensing Details
6. Connecting To Data
7. Securing Sites with Forms Authentication
8. Designing Reports
9. Passing Parameters
10. Exporting Reports
11. Subreports
12. Conclusion