This annoying error was discovered when I tried to modify subscription settings for one of the reports that I have on SQL Reporting Server 2016.
When you look inside of your Report Server Error Logs, you see the following error:
ERROR: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
Recently, I have switched SSRS to https with wildcard certificate and here is the exact scenario I had.
- I have successfully bound your wild card certificate through the Reporting Services Configuration Manager.
- You can browse your Report Server Web Service URL successfully (https://localhost/ReportServer).
- When you browse your Report Manager URL (https://localhost/Reports) or modify subscription settings you get the error above.
- When you look inside of your Report Server Error Logs, you see the following error:
ERROR: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. —> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.runTryCode(Object userData)
at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
— End of inner exception stack trace —
at System.Web.Services.Protocols.WebClientProtocol.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.HttpWebClientProtocol.GetWebResponse(WebRequest request)
at Microsoft.ReportingServices.UI.Global.RSWebServiceWrapper.GetWebResponse(WebRequest request)
at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
at Microsoft.SqlServer.ReportingServices2010.ReportingService2010.ListItemTypes()
at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.<ListItemTypes>b__10f()
at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.SoapMethodWrapper1.ExecuteMethod(Boolean setConnectionProtocol)
1.ExecuteMethod()
at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.SoapMethodWrapper
at Microsoft.SqlServer.ReportingServices2010.RSConnection2010.ListItemTypes()
at Microsoft.ReportingServices.UI.Global.SecureAllAPI()
at Microsoft.ReportingServices.UI.GlobalLinks.Control_Init(Object sender, EventArgs args)
ui!ReportManager_0-4!23d8!03/08/2017-09:49:20:: e ERROR: HTTP status code –> 500
The reason you are getting this is because Report Server and Report Manager communicates using a network connection using the URL that is set inside of the Reporting Services Configuration Manager.
When you bind the URL for Report Server using the wild card certificate, it shows up as “https://+:443/ReportServer”, which is registered inside of http.sys. Report Manager cannot find this URL to authenticate, and hence you’ll get your error. This same thing holds true for many types of other scenarios where Report Manager is not able to communicate with Report Server. You can read more about this here:
Reporting Services HTTP 401 (Unauthorized) – Host Headers require your attention
Resolution: To get around this particular issue, follow the below steps:
- Remove the previous URL reservations from http.sys.
- Open an Admin Command Prompt, and type in the netsh commands to show the URL reservations, and then delete them:
netsh http show urlacl
netsh http delete urlacl url="https://+:443/ReportServer/"
netsh http delete urlacl url="https://+:443/Reports/"
- Add the URL of your Report Server:
- Open an Admin Command Prompt, and type in the netsh commands to add your URLs using the domain/username of your Reporting Services Service Account found in the Reporting Services Configuration Manager:
netsh http add urlacl url="https://mysitename.contoso.com:443/Reports" user=Domain\user
netsh http add urlacl url="https://mysitename.contoso.com:443/ReportServer" user=Domain\user
- Once that is done, replace the FQDN for the URL Reservation inside of your rsreportserver.config file to match, found here: <Program Files>\Microsoft SQL Server\MSRSXX.MSSQLSERVER\Reporting Services\ReportServer
- Restart Reporting Services inside of the Report Server Configuration Manager, and now your Report Manager site should come up.
Hopefully this will clear up some confusion for using Wildcard Certificates with Reporting Services.
Good luck!