Error subscription delivery in SSRS with custom security extension

Question

I developed a custom security extension to have a single sign on from our intranet product to the reporting services. It works like a charm until I come to a subscription.

Development did like suggested here: http://msdn.microsoft.com/en-us/library/ms155029.aspx

Login, Upload and manage reports works. Every user can read and open reports. We also implemented authorization and overrite the functions like described here: http://msdn.microsoft.com/en-us/library/ms152800.aspx

Managing folder, reports works as well.

When I ad a subscription to render a report to deliver it via email the system say that the user do not have enough permission to email the report.

notification!WindowsService_0!1674!10/09/2013-14:02:04:: i INFO: Handling subscription f70f374e-28fa-4ba2-8b0e-6633f1299ee9 to report Projekt Aufwand, owner: rausch, delivery extension: Report Server Email.
library!WindowsService_0!1674!10/09/2013-14:02:04:: i INFO: RenderForNewSession('/Projektverwaltung/Projekt Aufwand')
library!WindowsService_0!1674!10/09/2013-14:02:04:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: , Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: Die dem Benutzer 'rausch' erteilten Berechtigungen reichen zum Ausführen des Vorgangs nicht aus.;
library!WindowsService_0!1674!10/09/2013-14:02:04:: i INFO: Initializing EnableExecutionLogging to 'True'  as specified in Server system properties.
emailextension!WindowsService_0!1674!10/09/2013-14:02:04:: e ERROR: Error sending email. Exception: Microsoft.ReportingServices.Diagnostics.Utilities.RSException: Die dem Benutzer 'rausch' erteilten Berechtigungen reichen zum Ausführen des Vorgangs nicht aus. ---> Microsoft.ReportingServices.Diagnostics.Utilities.AccessDeniedException: Die dem Benutzer 'rausch' erteilten Berechtigungen reichen zum Ausführen des Vorgangs nicht aus.
notification!WindowsService_0!1674!10/09/2013-14:02:04:: i INFO: Notification 6241f7f4-6225-44ea-b8ff-3654960ae218 completed.  Success: True, Status: Fehler beim Senden von E-Mail: Die dem Benutzer 'rausch' erteilten Berechtigungen reichen zum Ausführen des Vorgangs nicht aus.E-Mails werden nicht erneut gesendet., DeliveryExtension: Report Server Email, Report: Projekt Aufwand, Attempt 0

Workaround: I open the subscriptions table in the ReportServer database and replace the OwnerId UserId with the userId of the report server administrator. Then the subscriptions runs under admin rights and it works.

Anyone know where I can look/check to set correct permissions? Or do I have to add some code in the CheckAccess overwrite methods?

Part of the code:

  m_RptOperNames.Add(ReportOperation.CreateSubscription,
      OperationNames.OperCreateSubscription);
  m_RptOperNames.Add(ReportOperation.DeleteSubscription,
      OperationNames.OperDeleteSubscription);
  m_RptOperNames.Add(ReportOperation.ReadSubscription,
      OperationNames.OperReadSubscription);
  m_RptOperNames.Add(ReportOperation.UpdateSubscription,
      OperationNames.OperUpdateSubscription);
  m_RptOperNames.Add(ReportOperation.CreateAnySubscription,
      OperationNames.OperCreateAnySubscription);
  m_RptOperNames.Add(ReportOperation.DeleteAnySubscription,
      OperationNames.OperDeleteAnySubscription);
  m_RptOperNames.Add(ReportOperation.ReadAnySubscription,
      OperationNames.OperReadAnySubscription);
  m_RptOperNames.Add(ReportOperation.UpdateAnySubscription,
      OperationNames.OperUpdateAnySubscription);

Here I moved the whole c# class code for investigations: https://docs.google.com/file/d/0B02JCr49NYlUeDFVbWt2NVdpUmc/edit?usp=sharing

I do not see any Execution or Email subscription, but it was not part of the reference code. Could that be the case?

EDIT

Seeing this: http://msdn.microsoft.com/en-us/library/bb283182.aspx Can anyone tell me what Item right is needed to email a subscription? Then I can take a look deeper what Item needs to be granted.

UPDATE

I still have this issue but I am a bit wiser now :). In fact the Email delivery is handled by Microsoft.ReportingServices.Library.TimedSubscriptionHandler which is used by the WindowsService Reportserver.

If you setup a subscription with the link to the report only the subscription works even with the CustomSecurity extension! Add the report makes the system render the report. There the report server create a new session and there the permissions are not granted. I couldn't find out yet if the inheritance of the custom security extension works here or not.

Maybe some SSRS / .NET guru has some tips, seeking the net for hours did not give me any solutions.

Workaround: At the moment I setup a trigger on the subscriptions and replace the OwnerId with the Admin id.

CREATE TRIGGER Subscription_overwrite_owner
   ON  dbo.Subscriptions
   AFTER INSERT, UPDATE
AS 
BEGIN
    -- replace the OwnerId with the uid from the admin account
    -- so the TimedSubscription runs with correct credentials
    UPDATE dbo.Subscriptions SET OwnerID = 'uuid admin from Users table'
END
GO

Answer 1

I prefer that someone else found the answer but since months no one did I continued to investigate what the problem is. And finally, the winner is...

Not remark I used the sample project to implement a custom seecurity extension.

I made it work on my environment!

1. I did setup a security extension witht he sample CustomSecurity project
2. Everything works fine except Subscriptions if they contains attachemnts (like the rendered report).
3. I found out later that it worked with the Administrator user setup in the rsreportserver.config ( <Security><Configuration> which is load fromthe SetConfiguration setting.
4. The sample project show us, that we store application settings in the web.config!

I did store many parameters for my custom security extension in the web.config!

All works fine in the front end and rendering reports. But when it comes to subscriptions with attachments we run into permission errors...

It works with Administrator because the CustomSecurity Sample project grant access if the user the administrator!

But the ReportServicesService.exe do not get the Configuration data from the web.config!

Thats why all my CheckAccess() methods failed to check for the other security settings because in the web.config we store e.g. the connection string if we use to fetch against a custom database.

So you can now rewrite your code and move all configuration data from the web.config into the rsreportserver.config file.

Or you can just add your web.config application also to the /bin/ReportingServicesService.exe.config.

In my case e.g :

<configuration>
  <configSections>
    <section name="RStrace" type="Microsoft.ReportingServices.Diagnostics.RSTraceSectionHandler,Microsoft.ReportingServices.Diagnostics" />
    <!-- custom authentication start -->
    <section name="CustomSecurity" requirePermission="false" />
    <!-- custom authentication end -->
  </configSections>
  <!-- custom authentication start -->
  <appSettings>
    <add key="log" value="d:\log"/>
    <add key="multi_company" value="true"/>
    <add key="default_domain" value="fqdn.domain.de"/>
    <add key="connection" value="database=ReportServer;server=(local);uid=sa;pwd=secret;" />
  </appSettings>
  <!-- custom authentication end -->

This is written no where and it took me a while to figure that out...

Hope that helps everyone working with custom forms authentication and SSRS.