none
SSRS 2008 with SSL host headers

    Question

  • Does anyone know how to implement an SSL host header in SSRS 2008?  Since reporting services no longer uses IIS, I can no longer use the old cscript to register it with IIS:  cscript.exe adsutil.vbs set /w3svc/[site id]/SecureBindings ":443:[host header]"

     

    Any help would be greatly appreciated.

     

    Friday, October 24, 2008 8:40 PM

Answers

All replies

  • You should be able to do this using reporting services configuration manager tool.

    That registers it with http.sys which reporting servies uses in the background.

    Friday, October 24, 2008 11:10 PM
    Moderator
  • It doesn't seem to be working properly.  Here is an example of what I've tried.  (I've replaced the names, but the pattern is the same.)

     

    Machine name:          colo-test1

    External url:          test1.testdomain.org

    Wildcard certificate:  *.testdomain.org

     

    In the Report Manager URL section of the Reporting Services Configuration Manager, I clicked the Advanced button, and then the Add button to add a host header to the "Multiple Identities for Report Manager" section:

     

    Host Header Name:      test1.testdomain.org

    TCP Port:              80

     

    I clicked the Add button under the "Multiple SSL Identities for Report Manager" and selected the following options:

     

    IP Address:            (All IPv4)

    SSL Port:              443

    Certificate:           wildcard.testdomain.org

     

    URL:                   https://:443/Reports_SQL2008  <<<< automatically generated.

     

    (Note that the "Add a Report Manager SSL Binding" section doesn't have a field to specific a host header.)

     

    When I click ok, I get the following output under the URLs section:

     

    http://COLO-TEST1:80/Reports_SQL2008

    http://test1.testdomain.org:80/Reports_SQL2008

    https://+:443/Reports_SQL2008

     

    From an client on the network, I can successfully navigate to http://COLO-TEST1:80/Reports_SQL2008 and view the Report Manager fine.

     

    From an external client, I can successfully navigate to http://test1.testdomain.org/Reports_SQL2008 and view the Report Manager fine.

     

    Neither internal or external clients can navigate to https://COLO-TEST1/Reports_SQL2008 or https://test1.testdomain.org/Reports_SQL2008 , respectively. 

     

    I confirmed that port 443 was open on our firewall...it seems to be behaving as though HTTP.SYS is not listening on port 443.  Does anyone have any ideas of what I could try next?

    Monday, October 27, 2008 9:21 PM
  • Did you configure SSL for report server (i.e. the Web Service URL tab) using the the configuration tool?

     

    Monday, October 27, 2008 9:38 PM
    Moderator
  • Yes, I used the configuration tool for both the Web Service URL tab as well as the Report Manager URL tab.  However, I only added the host header to the Report Manager URL.

     

    Here is a copy of the URL Reservations section of my rsreportserver.config file:

     

    <URLReservations>

    <Application>

    <Name>ReportServerWebService</Name>

    <VirtualDirectory>ReportServer_SQL2008</VirtualDirectory>

    <URLs>

    <URL>

    <UrlString>http://+:80</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

    </URLs>

    </Application>

    <Application>

    <Name>ReportManager</Name>

    <VirtualDirectory>Reports_SQL2008</VirtualDirectory>

    <URLs>

    <URL>

    <UrlString>http://+:80</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

    <URL>

    <UrlString>https://+:443</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

    <URL>

    <UrlString>http://test1.testdomain.org:80</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

    </URLs>

    </Application>

    </URLReservations>

     

     

    From what I understand, this section of the rsreportserver.config cannot be manually edited because it could corrupt some HTTP.SYS settings.  (ref http://msdn.microsoft.com/en-us/library/ms157273.aspx)

     

    Any ideas?

    Monday, October 27, 2008 9:51 PM
  • I think I figured it out:  It doesn't like wildcard certificates.  =p

     

    I created a new certificate for the computer, instead of using my "*.testdomain.org" certificate, and it works fine:

     

    <URLReservations>

    <Application>

    <Name>ReportServerWebService</Name>

    <VirtualDirectory>ReportServer_SQL2008</VirtualDirectory>

    <URLs>

    <URL>

    <UrlString>https://+:443</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

    <URL>

    <UrlString>http://+:80</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

    <URL>

    <UrlString>https://WMSvc-COLO-TEST1:443</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

    </URLs>

    </Application>

    <Application>

    <Name>ReportManager</Name>

    <VirtualDirectory>Reports_SQL2008</VirtualDirectory>

    <URLs>

    <URL>

    <UrlString>http://+:80</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

    <URL>

    <UrlString>https://+:443</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

    <URL>

    <UrlString>http://reports.wish.org:80</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

    <URL>

    <UrlString>https://WMSvc-COLO-TEST1:443</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

    </URLs>

    </Application>

    </URLReservations>

     

    It stinks because now I get certificate errors in my browser, but at least I'm not sending credentials clear-text.  It will be fun explaining to my IT Director that we need to purchase a new cert just for this computer, when we already forked out $$$ for a wildcard cert and standardized on it for everything else.  =p

    Monday, October 27, 2008 10:13 PM
  • You should not manually edit this section, unless you know what you are doing Smile. Basically the config tool configures ACLs for the urls and writes them to rsreportserver.config file. If you edit the urls, the HTTP.SYS ACLs might not be in sync with RS config file.

     

    Your RM can accept SSL, but your RS cannnot. I think this will be problematic. Can you tell me the following:

     - Your <SecureConnectionLevel> settings

     - Any errors you see in IE and report server log file when you try to access https://test1.testdomain.org/reports .

     

    Since your certificate is issued to *.testdomain.org, you won't be able to access https://colo-test1/reports.

     

    Monday, October 27, 2008 10:15 PM
    Moderator
  • I think you may just need to configure SSL for your report server url using the wildcard certificate.

     

    Monday, October 27, 2008 10:23 PM
    Moderator
  • Hi James, thanks for responding.  :-)

     

    I tried removing all of the secure settings, (using the config tool, of course), and re-adding just the wildcard cert for both the web service and the report manager.  When I try to access the secure page https://test1.testdomain.org/reports_sql2008 , I get the following browser error:

     

    Internet Explorer cannot display the webpage 
      
    Most likely causes:
    You are not connected to the Internet.
    The website is encountering problems.
    There might be a typing error in the address.
     
     

    I can access the unsecure page, http://test1.testdomain.org/reports_sql2008 , just fine.

     

    The tag you asked earlier has a value of:

     

    <Add Key="SecureConnectionLevel" Value="0"/>

     

    Do you know of anyone who is successfully using a wildcard cert with SSRS 2008?  I'd be curious to see what their rsconfigserver.config looks like compared to mine.

     

    Monday, October 27, 2008 10:36 PM
  • Can you check one more thing? Restart the RS service, and then try to access https://test1.testdomain.org/reports_sql2008. Send me the log file. Basically I want to look at the urls that RS service tries to register.
    Monday, October 27, 2008 10:43 PM
    Moderator
  • Certainly.  (I did a little find | replace magic to mask the real domain and machine names, but they should list consistently with what I previously posted.)

     

    <Header>

    <Product>Microsoft SQL Server Reporting Services Version 2007.0100.1600.022 ((SQL_PreRelease).080709-1414 )</Product>

    <Locale>English (United States)</Locale>

    <TimeZone>Pacific Daylight Time</TimeZone>

    <Path>C:\Program Files\Microsoft SQL Server\MSRS10.SQL2008\Reporting Services\Logfiles\ReportServerService__10_27_2008_15_53_13.log</Path>

    <SystemName>COLO-TEST1</SystemName>

    <OSName>Microsoft Windows NT 6.0.6001 Service Pack 1</OSName>

    <OSVersion>6.0.6001</OSVersion>

    <ProcessID>2352</ProcessID>

    </Header>rshost!rshost!8f8!10/27/2008-15:53:13:: i INFO: CLR runtime is initialized.

    rshost!rshost!8f8!10/27/2008-15:53:13:: i INFO: Derived memory configuration based on physical memory as 16775628 KB

    appdomainmanager!DefaultDomain!e5c!10/27/2008-15:53:13:: i INFO: Entered managed ServiceMain in DefaultDomain.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing ConnectionType to '1' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing SecureConnectionLevel to '0' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing CleanupCycleMinutes to '10' minute(s) as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing MaxActiveReqForOneUser to '20' requests(s) as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing DatabaseQueryTimeout to '120' second(s) as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing RunningRequestsScavengerCycle to '60' second(s) as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing RunningRequestsDbCycle to '60' second(s) as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing RunningRequestsAge to '30' second(s) as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing MaxScheduleWait to '5' second(s) as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing DisplayErrorLink to 'True' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing WebServiceUseFileShareStorage to 'False' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing WatsonFlags to '1064' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing WatsonDumpOnExceptions to 'Microsoft.ReportingServices.Diagnostics.Utilities.InternalCatalogException,Microsoft.ReportingServices.Modeling.InternalModelingException,Microsoft.ReportingServices.ReportProcessing.UnhandledReportRenderingException' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing WatsonDumpExcludeIfContainsExceptions to 'System.Threading.ThreadAbortException,System.Web.UI.ViewStateException,System.OutOfMemoryException,System.Web.HttpException,System.IO.IOException,System.IO.FileLoadException' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing AuthenticationTypes to '4' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing EnableAuthPersistence to 'True' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing IsSchedulingService to 'True' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing IsNotificationService to 'True' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing IsEventService to 'True' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing PollingInterval to '10' second(s) as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing WindowsServiceUseFileShareStorage to 'False' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing MemorySafetyMargin to '80' percent as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing MemoryThreshold to '90' percent as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing RecycleTime to '720' minute(s) as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing MaxAppDomainUnloadTime to '30' minute(s) as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing MaxQueueThreads to '0' thread(s) as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing IsWebServiceEnabled to 'True' as specified in Configuration file.

    library!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Initializing IsReportManagerEnabled to 'True' as specified in Configuration file.

    configmanager!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Using report server internal url http://localhost:80/ReportServer_SQL2008.

    configmanager!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Using report server external url http://COLO-TEST1:80/ReportServer_SQL2008.

    configmanager!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Using url root http://COLO-TEST1:80/ReportServer_SQL2008.

    appdomainmanager!DefaultDomain!c24!10/27/2008-15:53:13:: i INFO: Appdomain:2 WindowsService_0 started.

    resourceutilities!WindowsService_0!c24!10/27/2008-15:53:14:: i INFO: Reporting Services starting SKU: Enterprise

    resourceutilities!WindowsService_0!c24!10/27/2008-15:53:14:: i INFO: Evaluation copy: 0 days left

    resourceutilities!WindowsService_0!c24!10/27/2008-15:53:14:: i INFO: Running on 8 physical processors, 8 logical processors

    rshost!rshost!2f0!10/27/2008-15:53:14:: i INFO: Registered url=https://+:443/ReportServer_SQL2008/, vdir=/ReportServer_SQL2008, pdir=C:\Program Files\Microsoft SQL Server\MSRS10.SQL2008\Reporting Services\ReportServer.

    rshost!rshost!2f0!10/27/2008-15:53:14:: i INFO: Registered url=http://+:80/ReportServer_SQL2008/, vdir=/ReportServer_SQL2008, pdir=C:\Program Files\Microsoft SQL Server\MSRS10.SQL2008\Reporting Services\ReportServer.

    rshost!rshost!2f0!10/27/2008-15:53:14:: i INFO: Currently registered url http://+:80/ReportServer_SQL2008/ on endpoint 2

    rshost!rshost!2f0!10/27/2008-15:53:14:: i INFO: Currently registered url https://+:443/ReportServer_SQL2008/ on endpoint 2

    rshost!rshost!8bc!10/27/2008-15:53:14:: i INFO: Registered url=http://+:80/Reports_SQL2008/, vdir=/Reports_SQL2008, pdir=C:\Program Files\Microsoft SQL Server\MSRS10.SQL2008\Reporting Services\ReportManager.

    rshost!rshost!8bc!10/27/2008-15:53:14:: i INFO: Registered url=https://+:443/Reports_SQL2008/, vdir=/Reports_SQL2008, pdir=C:\Program Files\Microsoft SQL Server\MSRS10.SQL2008\Reporting Services\ReportManager.

    rshost!rshost!8bc!10/27/2008-15:53:14:: i INFO: Registered url=http://test1.testdomain.org:80/Reports_SQL2008/, vdir=/Reports_SQL2008, pdir=C:\Program Files\Microsoft SQL Server\MSRS10.SQL2008\Reporting Services\ReportManager.

    rshost!rshost!8bc!10/27/2008-15:53:14:: i INFO: Currently registered url http://test1.testdomain.org:80/Reports_SQL2008/ on endpoint 3

    rshost!rshost!8bc!10/27/2008-15:53:14:: i INFO: Currently registered url https://+:443/Reports_SQL2008/ on endpoint 3

    rshost!rshost!8bc!10/27/2008-15:53:14:: i INFO: Currently registered url http://+:80/Reports_SQL2008/ on endpoint 3

    rshost!rshost!d28!10/27/2008-15:53:14:: i INFO: Endpoint 4 is disabled and no url is registered vdir=/ReportServer_SQL2008/ReportBuilder, pdir=C:\Program Files\Microsoft SQL Server\MSRS10.SQL2008\Reporting Services\ReportServer\ReportBuilder.

    rshost!rshost!c24!10/27/2008-15:53:14:: i INFO: Derived memory configuration based on physical memory as 16775628 KB

    rpcserver!DefaultDomain!6a4!10/27/2008-15:53:14:: i INFO: Process monitoring started.

    servicecontroller!DefaultDomain!10b0!10/27/2008-15:53:14:: i INFO: Total Physical memory: 17178243072

    library!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: Catalog SQL Server Edition = Enterprise

    crypto!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: Initializing crypto as user: TESTDOMAIN\service_sql_ssrs

    crypto!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: Exporting public key

    crypto!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: Performing sku validation

    crypto!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: Importing existing encryption key

    dbpolling!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: EventPolling polling service started

    dbpolling!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: NotificationPolling polling service started

    dbpolling!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: SchedulePolling polling service started

    dbpolling!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: UpgradePolling polling service started

    dbpolling!WindowsService_0!fb0!10/27/2008-15:53:14:: i INFO: HeartbeatThread(EventPolling): heartbeat thread started.

    dbpolling!WindowsService_0!f90!10/27/2008-15:53:14:: i INFO: HeartbeatThread(NotificationPolling): heartbeat thread started.

    dbpolling!WindowsService_0!2f0!10/27/2008-15:53:14:: i INFO: PollingMaintenance: Polling started

    runningjobs!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: Database Cleanup (NT Service) timer enabled: Next Event: 600 seconds. Cycle: 600 seconds

    runningjobs!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: Running Requests Scavenger timer enabled: Next Event: 60 seconds. Cycle: 60 seconds

    runningjobs!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: Running Requests DB timer enabled: Next Event: 60 seconds. Cycle: 60 seconds

    runningjobs!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: Execution Log Entry Expiration timer enabled: Next Event: 36405 seconds. Cycle: 86400 seconds

    runningjobs!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: Memory stats update timer enabled: Next Event: 60 seconds. Cycle: 60 seconds

    runningjobs!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: SQM timer timer enabled: Next Event: 40005 seconds. Cycle: 86400 seconds

    rpcserver!DefaultDomain!918!10/27/2008-15:53:14:: i INFO: RPC Server started.

    servicecontroller!DefaultDomain!918!10/27/2008-15:53:14:: i INFO: RPC Server started. Endpoint name ='ReportingServices$MSRS10.SQL2008'

    appdomainmanager!WindowsService_0!918!10/27/2008-15:53:14:: i INFO: Appdomain:2 WindowsService_0 initialized.

    library!DefaultDomain!918!10/27/2008-15:53:15:: i INFO: Catalog SQL Server Edition = Enterprise

    resourceutilities!DefaultDomain!918!10/27/2008-15:53:15:: i INFO: Reporting Services starting SKU: Enterprise

    resourceutilities!DefaultDomain!918!10/27/2008-15:53:15:: i INFO: Evaluation copy: 0 days left


     

     

    Thanks,

     

    Eric

    Monday, October 27, 2008 10:50 PM
  • I copied the httpcfg.exe from one of my Win2k3 boxes to my Win2k8 box, and also found a nifty GUI for executing it:  http://www.stevestechspot.com/ABetterHttpcfg.aspx .  I used IIS7 to import my wildcard cert.  I then used the httpconfig GUI to add the SSL cert to 0.0.0.0:443 .

     

    Next, I added a Register permission for my TESTDOMAIN\service_sql_ssrs user to an https://test1.testdomain.org:443 address.

     

    Lastly, I manually added the following URL to the ReportManager section in the rsreportserver.config:

     

    <URL>

    <UrlString>https://+:443</UrlString>

    <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

    <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

    </URL>

     

    Stopped and started the report server service, and it worked!  I can now access my https://test1.testdomain.org/reports_sql2008/ address and it is using my wildcard cert!

     

    When just an https://+:443/Reports_SQL2008/ was in the httpcfg, I would get "HTTP Error 503 Service Unavailable" messages in my browser.  But as soon as I removed it and added the https://test1.testdomain.org:443/Reports_SQL2008/ , it worked!

     

    However, https://test1.testdomain.org:443/ReportServer_SQL2008/ is not accessible....so this pretty much excludes the Report Builder from running.  =p

     

    Arg!

     

    Tuesday, October 28, 2008 1:44 AM
  • Sounds like you did a lot of research! Smile You pretty much figured out the inner workings of WMI/Config tool.

    I am very confused at the problem now. Basically it comes down to three things for report manager:
     1. The SSL cert binding on 0.0.0.0:443
     2. The URL reservation on https://+:443/Reports_SQL2008, which can be configured using httpconfig/httpcfg.
     3. The <UrlString> https://+:443/Reports_SQL2008 in rsreportserver.config, which is read by RS service at runtime to register the url. This can be confirmed by looking at the log file.

     

    So what you were saying is that step 2 must be https://test1.testdomain.org:443/Reports_SQL2008. The wildcard url reservation did not work. This is very odd to me. Step 2 is configuring an ACL on the url in HTTP.SYS so that step 3 can successfully register the same url. Step 3 is the only thing that matters in terms of listening to requests. Unless service_sql_ssrs is an admin, you will need the url in step 2 to match step 3. It looks like it worked when they didn't match, and failed when they match.

     

    So if you follow what you did for report manager (change Reports_SQL2008 to ReportServer_SQL2008), does report server work?

     

    Tuesday, October 28, 2008 5:27 PM
    Moderator
  • hehe...it certainly feels like it.  (need more coffee!)

     

    I'm getting closer to a "secure" deployment.  I started over again just to retrace my steps.

    1. Registered wildcard cert on computer via IIS7.
    2. Launched SSRS config tool.
    3. Navigated to Web Service URL tab and clicked Advanced button.
    4. Under "Multiple HTTP Identities for the Report Server Web Service":
      • It already has an "All Assigned : 80" entry by default.
      • Added the following host header:
        • test1.testdomain.org:80
    5. Under "Multiple SSL Identities for the Report Server Web Service":
      • Added my wildcard cert to:
        • (All IPv4) : 443
    6. On the Web Service URL tab, the Report Server Web Service URLs appear as follows:
    7. I tested each of the URLs, and they all work fine.
    8. Next, I navigated to the Report Manager URL tab and clicked on the Advanced button.
    9. Under the "Multiple Identities for Report Manager":
      1. It already has an "All Assigned : 80" entry by default.
      2. Added the following host header:
        • test1.testdomain.org:80
    10. Under "Multiple SSL Identiries for the Report Server Web Service":
      • Added my wildcard cert, (just as before), to:
        • (All IPv4) : 443
      • When I hit OK I get the following error message:

        Reserving url https://+:443

        We were unable to reserve the url

        Tell me more about the problem and how to resolve it.  (clicked on link)

        Microsoft.ReportingServices.WmiProvider.WMIProviderException: An unknown error has occurred in the WMI Provider. Error Code 800700B7
      •  ---> System.Runtime.InteropServices.COMException (0x800700B7): Cannot create a file when that file already exists. (Exception from HRESULT: 0x800700B7)
           --- End of inner exception stack trace ---
           at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.ThrowOnError(ManagementBaseObject mo)
           at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.ReserveURL(String application, String url, ErrorCodes& errorCode)
           at ReportServicesConfigUI.WMIProvider.RSReportServerAdmin.ReserveURL(UrlApplication app, String url, ErrorCodes& errorCode)

    11. At this point, I rolled up my sleeves and manually tried to add an entry to the httpcfg with httpconfig for https://+:443/Reports_SQL2008, but it threw an exception...my guess at this point was that you cannot have two https://+:443/... entries in the httpcfg.
    12. I manually added an https://test1.testdomain.org:443/Reports_SQL2008/ to the httpcfg and then modified my rsreportserver.config file to look like so:

      <URLReservations>

      <Application>

      <Name>ReportServerWebService</Name>

      <VirtualDirectory>ReportServer_SQL2008</VirtualDirectory>

      <URLs>

      <URL>

      <UrlString>http://+:80</UrlString>

      <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

      <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

      </URL>

      <URL>

      <UrlString>http://test1.testdomain.org:80</UrlString>

      <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

      <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

      </URL>

      <URL>

      <UrlString>https://+:443</UrlString>

      <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

      <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

      </URL>

      </URLs>

      </Application>

      <Application>

      <Name>ReportManager</Name>

      <VirtualDirectory>Reports_SQL2008</VirtualDirectory>

      <URLs>

      <URL>

      <UrlString>http://+:80</UrlString>

      <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

      <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

      </URL>

      <URL>

      <UrlString>http://test1.testdomain.org:80</UrlString>

      <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

      <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

      </URL>

      <URL>

      <UrlString>https://+:443</UrlString>

      <AccountSid>S-1-5-21-873839729-4129783965-1078289997-3644</AccountSid>

      <AccountName>TESTDOMAIN\service_sql_ssrs</AccountName>

      </URL>

      </URLs>

      </Application>

      </URLReservations>


    13. After stopping and starting the Report Server service, I am now able to access both the Web Service and the Report Service as both:

      http://test1.testdomain.org/ReportServer_SQL2008/
      https://test1.testdomain.org/ReportServer_SQL2008/
      http://test1.testdomain.org/Reports_SQL2008/
      https://test1.testdomain.org/Reports_SQL2008/

    So, I'm further along than before! 

     

    The problem now is that when I launch the Report Builder tool from the https://test1.testdomain.org/Reports_SQL2008/ Report Manager site, the launcher throws an error:

     

    PLATFORM VERSION INFO
     Windows    : 5.1.2600.196608 (Win32NT)
     Common Language Runtime  : 2.0.50727.3053
     System.Deployment.dll   : 2.0.50727.3053 (netfxsp.050727-3000)
     mscorwks.dll    : 2.0.50727.3053 (netfxsp.050727-3000)
     dfdll.dll    : 2.0.50727.3053 (netfxsp.050727-3000)
     dfshim.dll    : 2.0.50727.3053 (netfxsp.050727-3000)

    SOURCES
     Deployment url   :
    https://test1.testdomain.org/ReportServer_SQL2008/ReportBuilder/ReportBuilder.application

    ERROR SUMMARY
     Below is a summary of the errors, details of these errors are listed later in the log.
     * Activation of
    https://test1.testdomain.org/ReportServer_SQL2008/ReportBuilder/ReportBuilder.application resulted in exception. Following failure messages were detected:
      + Downloading
    https://test1.testdomain.org/ReportServer_SQL2008/ReportBuilder/ReportBuilder.application did not succeed.
      + The remote server returned an error: (401) Unauthorized.

    COMPONENT STORE TRANSACTION FAILURE SUMMARY
     No transaction error was detected.

    WARNINGS
     There were no warnings during this operation.

    OPERATION PROGRESS STATUS
     * [10/28/2008 11:10:33 AM] : Activation of
    https://test1.testdomain.org/ReportServer_SQL2008/ReportBuilder/ReportBuilder.application has started.

    ERROR DETAILS
     Following errors were detected during this operation.
     * [10/28/2008 11:10:33 AM] System.Deployment.Application.DeploymentDownloadException (Unknown subtype)
      - Downloading
    https://test1.testdomain.org/ReportServer_SQL2008/ReportBuilder/ReportBuilder.application did not succeed.
      - Source: System.Deployment
      - Stack trace:
       at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)
       at System.Deployment.Application.SystemNetDownloader.DownloadAllFiles()
       at System.Deployment.Application.FileDownloader.Download(SubscriptionState subState)
       at System.Deployment.Application.DownloadManager.DownloadManifestAsRawFile(Uri& sourceUri, String targetPath, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
       at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestDirectBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options, ServerInformation& serverInformation)
       at System.Deployment.Application.DownloadManager.DownloadDeploymentManifestBypass(SubscriptionStore subStore, Uri& sourceUri, TempFile& tempFile, SubscriptionState& subState, IDownloadNotification notification, DownloadOptions options)
       at System.Deployment.Application.ApplicationActivator.PerformDeploymentActivation(Uri activationUri, Boolean isShortcut, String textualSubId, String deploymentProviderUrlFromExtension, BrowserSettings browserSettings, String& errorPageUrl)
       at System.Deployment.Application.ApplicationActivator.ActivateDeploymentWorker(Object state)
      --- Inner Exception ---
      System.Net.WebException
      - The remote server returned an error: (401) Unauthorized.
      - Source: System
      - Stack trace:
       at System.Net.HttpWebRequest.GetResponse()
       at System.Deployment.Application.SystemNetDownloader.DownloadSingleFile(DownloadQueueItem next)

    COMPONENT STORE TRANSACTION DETAILS
     No transaction information is available.

     

    I've tried changing it from Keberos to NTLM in my rsreportserver.config file, but to no avail.  (I had already configured some http/ SPNs so that I could access the site via Kerberos and have confirmed my authentication in the Security Event Log.  When I changed to NTLM, I confirmed in the Security Event Log that I am now indeed authenticating with NTLM, but it still doesn't want to launch for me.

     

    I am so exhausted, but we've spent a boatload of money on this server and the software so that we could have a stellar report server.  Help me Obi-wan!

    Tuesday, October 28, 2008 6:51 PM
  • This could the the problem with NTLM using host headers. See this link for workarounds: http://support.microsoft.com/kb/896861.

     

    - Does HTTP 401 occur if you access RB using HTTP instead of HTTPS? (I can't think of any reason why 401 only happens for HTTPS.)

     

    The problem you get in step 10 is most likely due to manual editing and configuration. WMI/Config tool uses rsreportserver.config to keep track of the settings it configured. Most likely you manually added url reservatioin for https://+:443/Reports_SQL2008. WMI/config tool will not know because the <Url> section for report manager doesn't have it.

    Tuesday, October 28, 2008 7:55 PM
    Moderator
  • I finally got it working.  It turns out that the Report Builder is a ClickOnce app that needs to be hosted by an anonymous website for the download.  Once it is downloaded, it can connect and authenticate with the secure reporting services web service url.

     

    So, here's how I got it to work:

    1. I changed the HTTP ports for my Report Manager URL and Web Service URL to 8098 and 8099, respectively.
    2. Next, I setup an anonymous HTTP website on IIS7 on for http://test1.testdomain.org:80 .
    3. I then copied the entire C:\Program Files\Microsoft SQL Server\MSRS10.SQL2008\Reporting Services\ReportServer\ReportBuilder folder into the c:\inetpub\wwwroot folder.
    4. I added a Custom Report Builder Launch URL to point to the report builder app:  http://test1.testdomain.org/ReportBuilder/ReportBuilder.application 
    5. I then put a default.htm file in my c:\inetpub\wwwroot\ folder with some javascript that redirects the browser to the https://test1.testdomain.org/Reports_SQL2008/ site, just to make it easier for users to type.

    All-in-all, it seems like SSRS 2008 isn't as friendly of a deployment as its predecessor, if you are trying to deploy securely to the Internet.

     

    I shiver at the thought of my next task:  Getting a SharePoint instance to work with our MOSS site using protocol transition with constrained delegation.  =p

     

    Thanks for your suggestions, James.  You gave me a lot of good ideas, and I've managed to develop a new vocabulary in the process!  :-)

     

    Eric

    Tuesday, October 28, 2008 10:45 PM
  • Interesting problem - I would suggest using http://connect.microsoft.com to file a bug report since I would have expected this to work.  A bug report will help us communicate with you as we investigate the issue.

    Thanks,
    -Lukasz
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Monday, March 30, 2009 10:05 PM
    Moderator
  • I believe I have an issue similar in sorts and based on the above thread you both may be able to assist.  I am no expert, but I follow almost everything stated above, so be specific in your replies (thanks in advance).

    I have a simple SSL certificate for a subdomain that is bound to specific ip address and this is working as expected.  This webserver provides internet service to port 80 and 443 (hopefully).  It is a single tier system, meaning I have MS 2008 SP1 and Windows Server 2003 installed on the same box.

    I am able to setup (through RSCM the web service URL and Report Manager URL with various settings and access the url's locally and remotely. However, I don't want to access the web service or report manager outside of the server without SSL.  With my limited understanding and experimentation, this appears to be all or nothing...

    If I remove all web service http (:80) entries (for experimental purposes), the SSL test fails (meaning outside of the firewall).
    If I leave the web service http (:80) entries in, the SSL test pass.  The issue I have with this configuration - the upper right links for 'Home, Settings, Subscriptions' all point to 'http' not 'https'
    I would care if port 80 was available as I will control users via link.  What I can't manage is if they get re-routed after authentication to port 80 and bookmark the link.  They will then authenticate the next time in clear text and what's the point of SSL. 

    I can't constrain the traffic on port 443 and remove port 80 to this box, but I can on this dedicated external ip. 
    I don't have an issue using wildcards on ssl, but have not configured it this way for SSL as the certificate is bound to an ip address already.

    Has anyone experienced the same with the upper right links pointing to http (:80) after authentication on 443?
    Tuesday, April 21, 2009 6:02 AM
  • Yes, we had exactly this problem. It goes away if you put this

    <Add Key="SecureConnectionLevel" Value="3"/>

    in rsreportserver.config. But then we experienced a whole host of other problems. For instance, if you make any changes through the configuration tool, annoyingly, it restores the port 80 http URL for the report server (even if you just add an "x" to the URL).

    It even screwed up its own config on ours to the extent that it couldn't attach to port 443 on service restart and we had to kick the box.

    SSRS on SSL on 2008 seems to be riddled with bugs.

    Thursday, September 10, 2009 11:01 AM
  • I think you can contact with your hosting service provider to add SSL for you. Some of good SSRS 2008 web hosting service provider could be found at


    Regards,
    Monday, October 12, 2009 10:23 AM