Unattended Execution Account in SSRS

10
votes

Q1: why would I want to have an Unattended Execution Account?

Q2: if I don't use an Unattended Execution Account, which account is used to run the reports?

Q3: if i get the following error message when running a report: "The report server has encountered a configuration error. Logon failed for the unattended execution account. (rsServerConfigurationError) Log on failed. Ensure the user name and password are correct. (rsLogonFailed) Logon failure: unknown user name or bad password".

I understand that the Unattended Execution Account user name and/or password is wrong. But, where is that user name and password used? I mean, should the Unattended Execution Account be added in SQL Server or is the user name and password stored in the report? Even if a change the user name and password in SSRS Configuration Tool, the report doesn't run. So, the old account information seem to be stored somewhere?

I've been googling around but I don't get the big picture.

Thanks!

2
reporting-services

2 Answers

11
votes

The MSDN article has pretty detailed information about this.

From that the answers to your questions are:

Q1: You should set the Unattended Execution Account if you don't want to set credentials for data sources and want the data source to work even when users are not able to enter their credentials (subscriptions or other scheduled executions.) From the linked MSDN article:

The unattended report processing account is used primarily to connect to external servers, and not as a login to database servers. If you want to use the account credentials to log in to a database, you must specify credentials in the connection string. You can specify Integrated Security=SSPI if the database server supports Windows integrated security and the account used for unattended report processing has permission to read the database.

Most SSRS installations do not need the Unattended Execution Account. They use the "Credentials stored securely in the report server" option in the data sources.

Q2: I'm not sure what "run the reports" means, but the SSRS Service account is always responsible for the rendering and delivery of the reports, whether an Unattended Exec Account is set or not. The connections to the data sources will use the credentials specified in the data source. Unattended Exec Account will only be used if the data source is set to "Credentials are not required."

Q3: This account may not be used at all, but SSRS still checks the credentials with the domain. If none of your data sources are set to "Credentials are not required" then I recommend you remove the account from the SSRS configuration.

4
votes

Your questions are probably answered by this MSDN article. For Q1 "Why?":

  • Send connection requests over the network for reports that use database authentication...
  • Retrieve external image files that are used in report...

On question 2: the Unattended Execution Account doesn't determine who runs the report. It just determines the above two things. The report is executed by the Report Server, and that process is running under its own account you configured.

On question 3: see the "How Account Information is Stored" section in the linked question. I'm not sure why a change in the Config Tool wouldn't be immediately effective, you may have to debug that seperately (try to restart things once or twice, etc). If you can't figure that one out be sure to start a new SO question with the details on your situation.