-
Title
Does Password Manager require NTLM for authentication? -
Description
Up to and including Password Manager 5.14.x, NTLM is the default protocol for connecting to SQL Reporting Services. For connecting to Active Directory, it can depend on what is configured on the Domain Controllers - it may be Kerberos or NTLM. -
Cause
Password Manager up to and including 5.14.x defaults to NTLM connecting to SQL Reporting Services.
NTLM may be the default setting out-of-the-box in SQL Reporting Services for certain versions of SQL Reporting Services. -
Resolution
WORKAROUND
By default, Password Manager communicates over LDAP port 389. To enable LDAPS (LDAP over SSL), the following registry keys need to be added as outlined here:
How to enable LDAP over SSL for Password Manager. (314916)
For connecting to SQL Reporting Services, follow these steps to use Windows/Kerberos:
On the Password Manager server:
1. Navigate to C:\Program Files\One Identity\Password Manager\Service
2. Make a copy of the file QPM.Service.Host.exe.config
3. Open QPM.Service.Host.exe.config with Notepad
4. Navigate to this section:
<basicHttpBinding>
5. There are two entries as highlighted:
<binding name="ReportingService2005Soap" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="TransportCredentialOnly">
<transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
<binding name="ReportingService2005SoapHttps" closeTimeout="00:01:00" openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00" allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard" maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered" useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384" maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<security mode="Transport">
<transport clientCredentialType="Ntlm" proxyCredentialType="None" realm="" />
<message clientCredentialType="UserName" algorithmSuite="Default" />
</security>
</binding>
5.Change Ntlm to Windows in both highlighted lines as follows:
<transport clientCredentialType="Windows" proxyCredentialType="None" realm="" />
6. Save the changes and restart the Password Manager host.
On the SQL Reporting Services server:
1. Navigate to C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer
2. Make a copy of the file rsreportserver.config
3. Edit rsreportserver.config with Notepad
4. Find this section:
<AuthenticationTypes>
<RSWindowsNTLM/>
</AuthenticationTypes>
5. Change it to:
<Authentication>
<AuthenticationTypes>
<RSWindowsNegotiate/>
<RSWindowsKerberos/>
</AuthenticationTypes>
6. Save the changes and restart the SQL Reporting Services host.
NOTE: Additional information on authentication in SQL Reporting Services can be found here:
https://learn.microsoft.com/en-us/sql/reporting-services/security/configure-windows-authentication-on-the-report-server?view=sql-server-ver16
STATUS
We have logged Feature Request 294694 for SSL/636 domain connection settings option within Password Manager, and Defect ID 462202 regarding default setting of NTLM for SQL Reporting connection.
-
Change Request
294694