Configure SSRS for SSL

ssl reporting-services ssl-certificate ssrs-2014
bzamfir picture bzamfir · Dec 19, 2015 · Viewed 32.7k times · Source

I have a SSRS instance, running SSRS 2014, and I want configure it for usage over SSL.

The server is available at http://reports.mydomain2.com

I purchased a multi SSL certificate from GoDaddy, on domain www.mydomain.com, and I added reports.mydomain2.com as SAN

I generated the SSL certificate from GoDaddy as for IIS, imported the certificate into Intermediate Certification Authority and in Personal/Certificates enter image description here enter image description here

The I started the SSRS config manager, and I'm trying to setup the SSL I see the certificate, but when I select it and click Apply I get error that SSL certificate cannot be bound

enter image description here

The error shown is

Microsoft.ReportingServices.WmiProvider.WMIProviderException: An unknown error has occurred in the WMI Provider. Error Code 80070520

 ---> System.Runtime.InteropServices.COMException (0x80070520): A specified logon session does not exist. It may already have been terminated. (Exception from HRESULT: 0x80070520)
   --- End of inner exception stack trace ---
   at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.ThrowOnError(ManagementBaseObject mo)
   at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.CreateSSLCertificateBinding(String application, String certificateHash, String ipAddress, Int32 port)
   at ReportServicesConfigUI.WMIProvider.RSReportServerAdmin.CreateSSLCertificateBinding(UrlApplication app, String certificateHash, String ipAddress, Int32 port)

I checked the bindings with command

netsh http show urlacl

and I found an entry on port 443

Reserved URL            : https://+:443/sra_{BA195980-CD49-458b-9E23-C84EE0ADCD75}/
    User: NT SERVICE\SstpSvc
        Listen: Yes
        Delegate: Yes
    User: BUILTIN\Administrators
        Listen: No
        Delegate: No
    User: NT AUTHORITY\SYSTEM
        Listen: Yes
        Delegate: Yes
        SDDL: D:(A;;GA;;;S-1-5-80-3435701886-799518250-3791383489-3228296122-2938884314)(A;;GR;;;BA)(A;;GA;;;SY)

I don't know if this makes any difference or not (if the port 443 is already bound, preventing it from binding to SSRS url or not

But another possible problem is might be the fact that SSRS Config manager doesn't allow me to change the url for SSL binding to reports.mydomain2.com. but instead it tried to bind to default domain of the certificate.

Any idea what could be wrong, and how can I solve it?

Answer

bzamfir picture bzamfir · Dec 20, 2015

I figured out the solution, and hopefully it will help others.

The certificate downloaded from GoDaddy doesn't contains the private key. This was the cause of Create Certificate Binding error. To solve this, I had to export the certificate with private keys (I exported with also all extended properties, just in case) on the machine where I generated the initial CSR in IIS

So my steps are below:

  1. On machine where I generated the CSR, I import the certificate received from certificate authority.
  2. On the same machine I exported the certificate with private key and extended property, to .pfx
  3. On SSRS machine, I imported the exported certificate
  4. Start SSRS Configuration manager, and on section Web Service URL, select the newly imported certificate, and click Apply
  5. If the certificate was generated with the url matching exactly the DNS for SSRS server, you should be done.
  6. If the url of the certificate doesn't match the SSRS DNS name (but there is a SAN on the url of the reporting server, you will see the SSL certificate selected in SSRS Configuration manager set as Unknown and the ssl url as Unknown also. SSRS showing unknown for certificate and SSL url
  7. Open SSRS configuration file, RsReportServer.config, and edit entries for UrlReservations, to set the desired url's for SSL
<URLReservations>
  <Application>
      <Name>ReportServerWebService</Name>
      <VirtualDirectory>ReportServer</VirtualDirectory>
      <URLs>
          <URL>
              <UrlString>https://reports.mydomain2.org:443</UrlString>
              <AccountSid>....</AccountSid>
              <AccountName>NT Service\ReportServer</AccountName>
          </URL>
          <URL>
              <UrlString>http://+:80</UrlString>
              <AccountSid>....</AccountSid>
              <AccountName>NT Service\ReportServer</AccountName>
          </URL>
      </URLs>
  </Application>
  <Application>
      <Name>ReportManager</Name>
      <VirtualDirectory>Reports</VirtualDirectory>
      <URLs>
          <URL>
              <UrlString>http://+:80</UrlString>
              <AccountSid>....</AccountSid>
              <AccountName>NT Service\ReportServer</AccountName>
          </URL>
          <URL>
              <UrlString>https://reports.mydomain2.org:443</UrlString>
              <AccountSid>....</AccountSid>
              <AccountName>NT Service\ReportServer</AccountName>
          </URL>
      </URLs>
  </Application>
</URLReservations>

You must add or edit just entries for https (you'll find there entries for http on port 80, which you shouldn't change), and use AccountSid from entries on port 80 for new entries on ssl

  1. Run the command below to find all bounded URLs. You must find urls for reporting server, and write down SDDL, which will be needed when creating the SSL URLs for reporting server.

    netsh http show urlacl

  2. Remove the bounded URLs created by SSRS Config Manager, which points to wrong url (the main url the certificate was created for)

    netsh http delete urlacl url=https://www.mydomain1.org:443/ReportServer
netsh http delete urlacl url=https://www.mydomain1.org:443/Reports

  3. Run the commands below to add the proper URLs for report server. We need to use the SSDL found in entroes for report server bound to port 80 (see point 8 above)

    netsh http add urlacl url=https://reports.mydomain2.org:443/ReportServer user="NT Service\ReportServer" listen=yes sddl=<....>
netsh http add urlacl url=https://reports.mydomain2.org:443/Reports user="NT Service\ReportServer" listen=yes sddl=<....>

Related questions

How to create a self-signed certificate with OpenSSL

I'm adding HTTPS support to an embedded Linux device. I have tried to generate a self-signed certificate with these steps: openssl req -new > cert.csr openssl rsa -in privkey.pem -out key.pem openssl x509 -in cert.csr -out …

Read More
Getting Chrome to accept self-signed localhost certificate

I have created a self-signed SSL certificate for the localhost CN. Firefox accepts this certificate after initially complaining about it, as expected. Chrome and IE, however, refuse to accept it, even after adding the certificate to the system certificate store …

Read More
Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?

Edit :- Tried to format the question and accepted answer in more presentable way at mine Blog Here is the original issue. I am getting this error: detailed message sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.…

Read More