The Report Server Windows service can run under a built-in account or domain user account. The Windows service account is always configured during Setup. SQL Server Setup provides options for selecting a domain user account or the built-in Local System account when you specify options in the Service Account page. You must select one of these account types for Setup to continue.

Note:
Setup does not provide options for specifying all possible service account choices. For example, it does not allow you to specify NetworkService. If you want to use NetworkService, you can use the Reporting Services Configuration tool to modify the service account properties after Setup is finished.

The Report Server Web service account is always the ASP.NET worker process identity. The account information for the Web service can be set during or after installation. It can be set during installation if you select the default configuration installation option. Otherwise, it is set after installation when you specify the report server virtual directory in the Reporting Services Configuration tool. Either way, the initial settings for the Report Server Web service are always the default values as determined by ASP.NET and the version of Microsoft Internet Information Services (IIS) that you are using:

• In IIS 6.0 on Microsoft Windows Server 2003, the ASP.NET worker process runs under the security identity of the application pool that contains it. You can have multiple ASP.NET worker processes, where each one is contained in a separate application pool that has its own security identity. By default, the security identity is NetworkService. NetworkService is the security identity of the default application pool, which provides settings that are inherited by any new application pool you subsequently create. When a report server is configured, the Report Server Web service is assigned to a dedicated application pool that is created for it when you specify the report server virtual directory. Because this application pool inherits the security identity of the default application pool, the account used to run the Report Server Web service is typically NetworkService.
  
• In IIS 5.0 on Windows 2000 Server or IIS 5.01 on Windows XP, there is one ASP.NET worker process account for all ASP.NET applications that run on the computer. By default, ASP.NET runs under its own account as computername\ASPNET. To use a different account, you must configure ASP.NET to run under that account. There are no options in Reporting Services Configuration tool to set the ASP.NET account. You must modify the <processModel> element in the Machine.config file if you want to use a custom account for all ASP.NET applications that run on the server.
  

To view the account information for both services, use the Reporting Services Configuration tool. The tool includes the Web Service Identity page and the Windows Service Identity page that show service account information.

If you are running a report server in SharePoint integrated mode, and you subsequently change the accounts that each server runs under, you must update the service account information that is stored in the SharePoint configuration database. To do this, start Central Administration and re-select the report server instance in the Manage integration settings page. Repeating the integration steps will update the service account information accordingly. For more information, see How to: Set Report Server Integration in SharePoint Central Administration.

You can modify the service accounts, passwords, or both. For instructions on how to specify an account after you have decided which one to use, see How to: Configure Service Accounts (Reporting Services Configuration).

When you choose a new account, a login and database permissions will be created for the new account. Specifically, the account will be added to the RSExecRole. Accounts that were added previously are not removed from this role; you will need to remove accounts that are no longer in use. For more information, see Administering a Report Server Database.

Choosing a Different Account

You can configure the Report Server Web service and Windows service accounts to run under non-default values. There is no single best approach for choosing an account type. Each account has advantages and disadvantages that you must consider. If you are deploying Reporting Services on a production server, best practices suggest that you configure the accounts to run under a user account that is used by a single service or application. The following guidelines and links in this section can help you decide on an approach that is best for your deployment.

Services	Online Resources
Windows service	Windows Service Identity (Reporting Services Configuration) Setting Up Windows Service Accounts in SQL Server Books Online. The Services and Service Accounts Security Planning Guide on MSDN.
Web service	Web Service Identity - Windows Server 2003 (Reporting Services Configuration)

Changing a Password before it Expires

To reset the password, use the Reporting Services Configuration tool and follow these instructions: How to: Configure Service Accounts (Reporting Services Configuration).

Note:
If the service account password for the Database Engine expires, the rsReportServerDatabaseUnavailable error occurs when you try to connect to the report server. Resetting the password resolves this error. To view the complete text of the error message, see Troubleshooting Server and Database Connection Problems.

Changing an Expired Password for the Report Server Windows Service

If the Report Server Windows service runs under a domain account and the password expires, the service will be unavailable until you specify a new password. To reset the password, click the Start menu, point to Control Panel, point to Administrator Tools, and click Services. Right-click SQL Server Reporting Services, select Properties, click Log On, and type the new password. After you update the password, start the Reporting Services Configuration tool and update the password in the Windows Service Identity page. This additional step is necessary to update the account information that is stored internally by the report server.

Dependencies on the Report Server Windows Service Identity

If you change the Report Server Windows service account, this can affect report server operations. For that reason, it is important to always use the Reporting Services Configuration tool when changing a service account. The Reporting Services Configuration tool performs the following additional steps to ensure the report server remains available:

• Automatically updates the encryption key to include the profile information of the new account. Because encryption is performed only by the Report Server Windows service, the keys must be updated when you reset the Windows service.
  

  Note:
  If the report server is part of the scale-out deployment, only the report server that you are updating is affected. The encryption keys for other report servers in the deployment are unaffected by the service account change.

• Automatically updates the login permissions on the SQL Server Database Engine instance used to host the report server database. If you are using the service accounts to connect to the database, Reporting Services granted SQL Server login permissions to the service accounts when you initially configured the connection. If you reset the Windows service account, the connection information must be updated.
  
• Automatically adds the new accounts to the report server group created on the local computer. This group is specified in the access control lists (ACLs) that secure Reporting Services files.
  

Tasks

Reference

Concepts

Other Resources