Report Builder uses a client technology called ClickOnce to download and launch the application files. This component runs outside of Internet Explorer, so it cannot leverage any credentials that may have been collected by IE to access the report server. It can only access and download the Report Builder application files if the user's default credentials are sufficient. There are three ways to satisfy this constraint:
1. Client and server have a trust relationship (e.g. same domain), the user is logged into the client using a domain account with permission to access RB files on the report server, and Windows authentication is enabled on the ReportBuilder folder in IIS.
2. User has stored credentials on the client for the report server, using either the "Remember my password" checkbox in Internet Explorer or the Stored User Names and Passwords control panel, those credentials are Windows credentials, and Basic authentication is enabled on the ReportBuilder folder in IIS. This option is recommended only if you are using SSL, and only if the requirement that users store their credentials is acceptable. Note that if they do not, the application download will simply fail -- they will not be prompted to supply any credentials.
3. Anonymous access is enabled on the ReportBuilder folder in IIS. This may make your server vulnerable to denial-of-service attacks if it is not operating in a trusted environment.
Note that the authentication settings on the ReportBuilder folder in IIS are usually inherited from the report server virtual root.