I have a SSRS instance, running SSRS 2014, and I want configure it for usage over SSL.
The server is available at http://reports.mydomain2.com
I purchased a multi SSL certificate from GoDaddy, on domain www.mydomain.com, and I added reports.mydomain2.com as SAN
I generated the SSL certificate from GoDaddy as for IIS, imported the certificate into Intermediate Certification Authority and in Personal/Certificates
The I started the SSRS config manager, and I'm trying to setup the SSL I see the certificate, but when I select it and click Apply I get error that SSL certificate cannot be bound
The error shown is
Microsoft.ReportingServices.WmiProvider.WMIProviderException: An unknown error has occurred in the WMI Provider. Error Code 80070520
---> System.Runtime.InteropServices.COMException (0x80070520): A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
--- End of inner exception stack trace ---
at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.ThrowOnError(ManagementBaseObject mo)
at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.CreateSSLCertificateBinding(String application, String certificateHash, String ipAddress, Int32 port)
at ReportServicesConfigUI.WMIProvider.RSReportServerAdmin.CreateSSLCertificateBinding(UrlApplication app, String certificateHash, String ipAddress, Int32 port)
I checked the bindings with command
netsh http show urlacl
and I found an entry on port 443
Reserved URL : https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
User: NT SERVICE\SstpSvc
Listen: Yes
Delegate: Yes
User: BUILTIN\Administrators
Listen: No
Delegate: No
User: NT AUTHORITY\SYSTEM
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-3435701886-799518250-3791383489-3228296122-2938884314)(A;;GR;;;BA)(A;;GA;;;SY)
I don't know if this makes any difference or not (if the port 443 is already bound, preventing it from binding to SSRS url or not
But another possible problem is might be the fact that SSRS Config manager doesn't allow me to change the url for SSL binding to reports.mydomain2.com. but instead it tried to bind to default domain of the certificate.
Any idea what could be wrong, and how can I solve it?
I figured out the solution, and hopefully it will help others.
The certificate downloaded from GoDaddy doesn't contains the private key. This was the cause of Create Certificate Binding error. To solve this, I had to export the certificate with private keys (I exported with also all extended properties, just in case) on the machine where I generated the initial CSR in IIS
So my steps are below:
<URLReservations> <Application> <Name>ReportServerWebService</Name> <VirtualDirectory>ReportServer</VirtualDirectory> <URLs> <URL> <UrlString>https://reports.mydomain2.org:443</UrlString> <AccountSid>....</AccountSid> <AccountName>NT Service\ReportServer</AccountName> </URL> <URL> <UrlString>http://+:80</UrlString> <AccountSid>....</AccountSid> <AccountName>NT Service\ReportServer</AccountName> </URL> </URLs> </Application> <Application> <Name>ReportManager</Name> <VirtualDirectory>Reports</VirtualDirectory> <URLs> <URL> <UrlString>http://+:80</UrlString> <AccountSid>....</AccountSid> <AccountName>NT Service\ReportServer</AccountName> </URL> <URL> <UrlString>https://reports.mydomain2.org:443</UrlString> <AccountSid>....</AccountSid> <AccountName>NT Service\ReportServer</AccountName> </URL> </URLs> </Application> </URLReservations>
You must add or edit just entries for https (you'll find there entries for http on port 80, which you shouldn't change), and use AccountSid from entries on port 80 for new entries on ssl
Run the command below to find all bounded URLs. You must find urls for reporting server, and write down SDDL, which will be needed when creating the SSL URLs for reporting server.
netsh http show urlacl
Remove the bounded URLs created by SSRS Config Manager, which points to wrong url (the main url the certificate was created for)
netsh http delete urlacl url=https://www.mydomain1.org:443/ReportServer
netsh http delete urlacl url=https://www.mydomain1.org:443/Reports
Run the commands below to add the proper URLs for report server. We need to use the SSDL found in entroes for report server bound to port 80 (see point 8 above)
netsh http add urlacl url=https://reports.mydomain2.org:443/ReportServer user="NT Service\ReportServer" listen=yes sddl=<....>
netsh http add urlacl url=https://reports.mydomain2.org:443/Reports user="NT Service\ReportServer" listen=yes sddl=<....>