Why can’t I see my TFS reports?

Whist recently installing a TFS 2010 system onto a single box server, that was also a domain controller, I had a problem that though everything seemed in order I could not view my reporting services based reports in either SharePoint or directly from the http://myserver/reports interface.

During the installation I had verified I had the correct password for my [domain]\tfsreports account used to run the reports. If went to the http://myserver/reports page and edited the TFS2010ReportsDs or TFS2010OlapReportDS and tried to test the [domain]\tfsreports login it failed. However, if I swapped to the [domain]\administrator all was fine and my reports worked.

So what was the issue?

The key point is that the server, as it is a PDC, would only allow limited accounts to login to the server console. The actual Reporting Services web services were running as a named domain account (you cannot use Network Service and like on a PDC), but it seems that the connection by the [domain]\tfsreports account is considered the same as a login via the login screen as far as security systems are concerned.

The immediate fix was to make sure the [domain]\tfsreports user was in a group listed in the “Allow log on locally". To check this

  1. Run gpedit.msc
  2. Expand Computer Configuration\Windows Settings\Security Settings\Local Policies
  3. Click on User Rights Assignment
  4. Ensure that "Allow log on locally" includes user required, or that the user is in one of the listed groups

Now I am not sure this is the end of story, I am sure I can waste loads of time to find out exactly the minimum security settings needed, but this is an adequate solution for no for me.