The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

Question

I'm using SQL Server 2005 (SP1) Reporting Services on Windows Server 2003 SP1. I access the report server from Internet using SSL, but the server is not exposed directly to the internet. It is behind a firewall, where the required ssl port is setup and is working fine.

In my Reporting Server, the /ReportServer folder works perfect and I can navigate and view all reports. It is the /Reports folder the one that does not work fine. I can enter the /Reports folder, and can list all the reports. But, when I select one of the reports, and it starts rendering, I get the error message:

"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure."

How can I fix this?

Thanks,

Julio

Answer 1

Julio,

I am having the same problem. I can get it working for http, but not for https. I have also started from scratch for the certificates based on the guidelines I received via Microsoft Tech Net and I still have the problem with the Report Manager. I plan to bring in the files into Visual Studio 2005 and try to "see" how to make it work. Please let me know as well if you found a fix. Thank you in advance and have a great Turkey (Thanksgiving) week.

r,

Clem

Answer 2

Did anyone ever find a solution to this.  I installed RS after the initial DB install, went through the RS Configuration Tool, but now am not able to connect either via the web browser nor via SQL Server Management Studio.

Answer 3

I am getting same error.. anyone resolve it plz...

thanx
-Radha Krishna Prasad

Answer 4

Hi Radha,

Please try the following steps to resolve this problem:

1.       In RsReportServer.config file changed the “SecureConnectionLevel” element value from 0 to 2.

2.       Check the UrlRoot element to the report server.

3.       Go to Microsoft management Console; add the certificate which you use to access the report server under “Trusted Root Certification Authorities”.

Hopefully this helps. Thanks.

Answer 5

I am aslo getting the same error can anybody help me out in this issue.

 

thanks

Jagan.

Answer 6

Hi Rama Satya Jagan K

 

This error is always caused by the certificate which is used to access the report server. First, in the IIS, please make sure that the certificate in the properties of the web site ReportServer is correct. Second, check the certificate in the Microsoft management Console; make sure that there is only one certificate which you are using to access the report server in the “Trust Root Certification Authorities.

 

Thanks.

Answer 7

Yao-Jie Tang - MSFT wrote:

[...] 3.       Go to Microsoft management Console; add the certificate which you use to access the report server under “Trusted Root Certification Authorities”.

Do you happen to have a reference that goes through this in a little more detail?  I'm presently setting up RS2005 SP1 for non-SharePoint-integrated secure access, using certificates issued by my own standalone certificate authority (from Windows 2003 Server).  I've:

• created a root certificate for the CA (let's call this certificate root-cert).
• issued a certificate from the CA for the web site (let's call this cert server.mycompany.com), which has root-cert as its root.
• set up the secure Web site (https://server.mycompany.com:8443 - long reason for the 8443) to use the cert server.mycompany.com.  I can connect to this using a browser, and can see that certificate is used.
• used the Certificates snap-in to manage the Local Computer certificates on the computer on which the reporting server is running, and added root-cert to the Trusted Root Certification Authorities/Certificates folder in there.
• configured the ReportServer directory to be /reportserver on the secure Web site.
• set UrlRoot in rsreportserver.config to https://server.mycompany.com:8443/reportserver
• set SecureConnectionLevel in rsreportserver.config to 2.
• Stopped and restarted the Reporting Services instance and the app pool in which ReportServer and Reports are hosted, in case of a file caching issue.

 

I'm still seeing this error, so presumably I'm missing something!

 

Any advice would be very welcome.

 

- Peter

Answer 8

I am having the same problem, SqlServer 2008, sqljdbc1.2, java 1.6. Anyone know how to get pst this error? Going to sqljdbc1.1 does not work with SqlServer 2008. HELP!

Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure
connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: RSA premaster secret
 error.
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(Unknown Source)
        at com.microsoft.sqlserver.jdbc.TDSChannel.throwSSLConnectionFailed(Unknown Source)
        at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(Unknown Source)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(Unknown Source)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.loginWithoutFailover(Unknown Source)
        at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(Unknown Source)
        at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(Unknown Source)
        at java.sql.DriverManager.getConnection(DriverManager.java:582)
        at java.sql.DriverManager.getConnection(DriverManager.java:185)

thanks
jim

Answer 9

I've been strggeling with a similar problem for 2 days. I've checked all the suggestions in this and other posts but I'm continuing to get prompted for a Username and Password when I try to go to the https://server.domain/reports and reportserver. I can't get past the logon screen and naturally when I hit cancel I get: HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration. Internet Information Services (IIS).

 

So the real issue I'm trying to figure out is why I'm getting prompted for credentials. I've set everything according to the multple instruction sets i've seen, but I'm still stuck...any ideas would be appreciated.

<Add Key="SecureConnectionLevel" Value="2"/>

Answer 10

Bill, are you seeing this problem only with https or are you getting it even with accessign http url.

Please check the following blog for a similar issue and see if the info helps.

http://blogs.msdn.com/lukaszp/archive/2008/03/26/solving-the-reporting-services-login-issue-in-the-february-ctp-of-sql-server-2008.aspx

 

Answer 11

If you are not using SSL/TLS you can always switch it off. Try this as it solved similar problems.

Reporting Services: The underlying connection was closed

Answer 12

Many times, even after a proper installation and certificate configuration using SSL/TLS, folks get this error because they are attempting to connect to the Report Server using the host name rather than the fully qualified domain name used in the certificate assigned to the web server. 

In SQL Server Management Studio, try using the correct protocol and FQDN followed by /ReportServer (i.e. https://yourvalidcertificatefqdn.com/ReportServer) as the "Server" to connect to, instead of "COMPUTERNAME".

If the certificate stuff is configured right, you should get right in!

-- Aaron

---

Aaron

Answer 13

I'm SQL Server 2008 Rep. Services on Windows Server 2008 SP1.  I also use IIS 7.
every thing seems up a nd running , but I have access issue to report manager yet. I got this error which is the same issue as sql 2005 and I could fix it by turning off annoumus access 

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

Any idea?


Thanks,

Reza

 

Answer 14

In other isntances where I have seen this issue, it was fixed by setting the SecureConnectionLevel configuration setting in rsreportserer.config file to 0.
can you try the same and post results

Answer 15

Just amazing Yao!!!

Answer 16

There is another entry in the rsreportserver.config under <Authentication>

<RSWindowsExtendedProtectionLevel>Off</RSWindowsExtendedProtectionLevel>

If set to ALLOW instead of OFF you may get the Challenge Response window.

Answer 17

It is a trust issue between the two servers. It is a generic problem that could happen between any two servers that need to trust each other. The solution of this problem is to export the certificate of the first server machine, and import it at the second server where you're having the problem. Machine certificate will be under: Trusted Root Certification Authorities.

Check this blog: http://zevainc.com/index.php/blog/item/4003-fix-new-sptrustedsecuritytokenissuer-error

---

Husam Hilal