Configure SSRS for SSL

bzamfir picture bzamfir · Dec 19, 2015 · Viewed 32.7k times · Source

I have a SSRS instance, running SSRS 2014, and I want configure it for usage over SSL.

The server is available at http://reports.mydomain2.com

I purchased a multi SSL certificate from GoDaddy, on domain www.mydomain.com, and I added reports.mydomain2.com as SAN

I generated the SSL certificate from GoDaddy as for IIS, imported the certificate into Intermediate Certification Authority and in Personal/Certificates enter image description here enter image description here

The I started the SSRS config manager, and I'm trying to setup the SSL I see the certificate, but when I select it and click Apply I get error that SSL certificate cannot be bound

enter image description here

The error shown is

Microsoft.ReportingServices.WmiProvider.WMIProviderException: An unknown error has occurred in the WMI Provider. Error Code 80070520

 ---> System.Runtime.InteropServices.COMException (0x80070520): A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
   --- End of inner exception stack trace ---
   at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.ThrowOnError(ManagementBaseObject mo)
   at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.CreateSSLCertificateBinding(String application, String certificateHash, String ipAddress, Int32 port)
   at ReportServicesConfigUI.WMIProvider.RSReportServerAdmin.CreateSSLCertificateBinding(UrlApplication app, String certificateHash, String ipAddress, Int32 port)

I checked the bindings with command

netsh http show urlacl

and I found an entry on port 443

Reserved URL            : https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
    User: NT SERVICE\SstpSvc
        Listen: Yes
        Delegate: Yes
    User: BUILTIN\Administrators
        Listen: No
        Delegate: No
    User: NT AUTHORITY\SYSTEM
        Listen: Yes
        Delegate: Yes
        SDDL: D:(A;;GA;;;S-1-5-80-3435701886-799518250-3791383489-3228296122-2938884314)(A;;GR;;;BA)(A;;GA;;;SY) 

I don't know if this makes any difference or not (if the port 443 is already bound, preventing it from binding to SSRS url or not

But another possible problem is might be the fact that SSRS Config manager doesn't allow me to change the url for SSL binding to reports.mydomain2.com. but instead it tried to bind to default domain of the certificate.

Any idea what could be wrong, and how can I solve it?

Answer

bzamfir picture bzamfir · Dec 20, 2015

I figured out the solution, and hopefully it will help others.

The certificate downloaded from GoDaddy doesn't contains the private key. This was the cause of Create Certificate Binding error. To solve this, I had to export the certificate with private keys (I exported with also all extended properties, just in case) on the machine where I generated the initial CSR in IIS

So my steps are below:

  1. On machine where I generated the CSR, I import the certificate received from certificate authority.
  2. On the same machine I exported the certificate with private key and extended property, to .pfx
  3. On SSRS machine, I imported the exported certificate
  4. Start SSRS Configuration manager, and on section Web Service URL, select the newly imported certificate, and click Apply
  5. If the certificate was generated with the url matching exactly the DNS for SSRS server, you should be done.
  6. If the url of the certificate doesn't match the SSRS DNS name (but there is a SAN on the url of the reporting server, you will see the SSL certificate selected in SSRS Configuration manager set as Unknown and the ssl url as Unknown also. SSRS showing unknown for certificate and SSL url
  7. Open SSRS configuration file, RsReportServer.config, and edit entries for UrlReservations, to set the desired url's for SSL
<URLReservations>
  <Application>
      <Name>ReportServerWebService</Name>
      <VirtualDirectory>ReportServer</VirtualDirectory>
      <URLs>
          <URL>
              <UrlString>https://reports.mydomain2.org:443</UrlString>
              <AccountSid>....</AccountSid>
              <AccountName>NT Service\ReportServer</AccountName>
          </URL>
          <URL>
              <UrlString>http://+:80</UrlString>
              <AccountSid>....</AccountSid>
              <AccountName>NT Service\ReportServer</AccountName>
          </URL>
      </URLs>
  </Application>
  <Application>
      <Name>ReportManager</Name>
      <VirtualDirectory>Reports</VirtualDirectory>
      <URLs>
          <URL>
              <UrlString>http://+:80</UrlString>
              <AccountSid>....</AccountSid>
              <AccountName>NT Service\ReportServer</AccountName>
          </URL>
          <URL>
              <UrlString>https://reports.mydomain2.org:443</UrlString>
              <AccountSid>....</AccountSid>
              <AccountName>NT Service\ReportServer</AccountName>
          </URL>
      </URLs>
  </Application>
</URLReservations>

You must add or edit just entries for https (you'll find there entries for http on port 80, which you shouldn't change), and use AccountSid from entries on port 80 for new entries on ssl

  1. Run the command below to find all bounded URLs. You must find urls for reporting server, and write down SDDL, which will be needed when creating the SSL URLs for reporting server.

    netsh http show urlacl
    
  2. Remove the bounded URLs created by SSRS Config Manager, which points to wrong url (the main url the certificate was created for)

    netsh http delete urlacl url=https://www.mydomain1.org:443/ReportServer
    netsh http delete urlacl url=https://www.mydomain1.org:443/Reports
    
  3. Run the commands below to add the proper URLs for report server. We need to use the SSDL found in entroes for report server bound to port 80 (see point 8 above)

    netsh http add urlacl url=https://reports.mydomain2.org:443/ReportServer user="NT Service\ReportServer" listen=yes sddl=<....>
    netsh http add urlacl url=https://reports.mydomain2.org:443/Reports user="NT Service\ReportServer" listen=yes sddl=<....>