How to Grant « Allow log on locally » Permissions to Domain User Accounts

If you use stored credentials to connect to an external data source, the Windows domain user account must have permission to log on locally. This permission allows the report server to impersonate the user on the report server and send the request to the external data source as that impersonated user.

To grant this permission, do the following:

1. On the report server computer, in Administrative Tools, open Local Security Policy.
2. Under Security Settings, expand Local Policies, and then click User Rights Assignment.
3. In the details pane, right-click Allow log on locally and then right-click Properties.
4. Click Add User or Group.
5. Click Locations, specify a domain or other location that you want to search, and then click OK.
6. Enter the Windows account for which you want to allow interactive login, and then click OK.
7. In the Allow log on locally Properties dialog box, click OK.
8. Verify that the account you selected does not also have deny permissions:
   1. Right-click Deny log on locally and then right-click Properties.

   2. If the account is listed, select it and then click Remove.

https://docs.microsoft.com/en-us/sql/reporting-services/report-data/specify-credential-and-connection-information-for-report-data-sources?view=sql-server-2017