Part 1 – Intro
Part 2 – Operational Reports (Classic RDL Reports)
Part 3 – Power Pivot Gallery (Silverlight)
Part 4 – Export a Power View Report to PowerPoint (you are here)

The last part of this engagement was when they tried to Export a Power View report to PowerPoint, we hit the save button, and received an error.  Under the hoods, we were getting an HTTP 500 error.

Looking in the UAG Trace Logs, we found something like the following:

https://sptest.uaglab.com/_vti_bin/reportserver/?rs:ProgressiveSessionId=be2741565c6d4fd2ac46643113730a81huf1fo3tnerk0f555ji2hynb&rs:Command=LogClientTraceEvents

Info:Detected HRS attack!!! PostDataLen=100933, ContentType=application/progressive-report, Dump: XMLSchema"><ClientDateTime>201-04-23T10:59:07+05:30</ClientDateTime><Category>datastructuremanager</Category><ProgressiveSessi. (ExtECB=0000000005D68040), (PFC=0000000002A72808)

By default, UAG is configured to protect the web servers from smuggling attacks.  This is viewed when you click on Edit for the Application and going to Web Server Security.  This is listed under Maximum size of POST request.

image

By default, UAG allows a maximum of 49152 bytes for the POST request as per this setting for the shown content types.  And what we noticed in the falling request in the UAG traces is that the Post Data Length on this request was 100933 (was higher than the default limit on UAG). The content type, in the case, was application/progressive-report.  So, to overcome the issue, we added this content type on the UAG Server smuggling protection settings and increased the maximum size of POST request to a value that would accommodate the request.  For testing in our environment, we just changed it to 491520 as it would have covered the Post Data Length of 100933.  You would need to do more analysis to see what would fit your needs without over exposing your deployment from an attack perspective, but still allow your site to function.

This allowed the Export to succeed.

We then ran into an issue where when loading up the PowerPoint document, we would see the static image and not the Interact button. It is not able to communicate the proper responses when going through the UAG/ADFS.  We also do not get prompted for credentials.  If we look at the properties of the item on the sheet, we can see that this is the Silverlight ActiveX control and it is set to go to the XAP.

image

Web Application Proxy (WAP)

Exporting to PowerPoint itself did not have any issues, or additional configuration, when using WAP.  Unfortunately, when trying to run the PowerPoint document, we still did not have the Interact button going through WAP.  This is because going through WAP it was as if it was pure Forms Auth.  Even looking at a Fiddler, the response back from the server was the form to get the login credentials.  The Silverlight control doesn’t prompt for the credentials, and no really way to do that when it is wanting a web form.

Takeaway

The takeaway on this one is that we can get it to successfully export the report to a PowerPoint document, however, within the document itself, you will only have the static image of the report and not the interactive aspects of the report.

 

Adam W. Saxton | Microsoft SQL Server Escalation Services
http://twitter.com/awsaxton