/
Advanced SSRS Setup - Wildcard Certificates and TLS 1.2

Advanced SSRS Setup - Wildcard Certificates and TLS 1.2

Owned by Vincent Josset
Feb 23, 2023
1 min read

  • Stop SSRS service

  • Add URL reservations and permissions (may need to remove previous 443 URL reservations first):

    C:\Windows\system32>netsh http add urlacl url=https://[YourSSRSDomain]:443/ReportServer user=[YourSSRSUser] URL reservation successfully added C:\Windows\system32>netsh http add urlacl url=https://[YourSSRSDomain]:443/Reports user=[YourSSRSUser] URL reservation successfully added

  • In rsreportserver.config, set SecureConnectionLevel to 3:

    <Add Key="SecureConnectionLevel" Value="3"/>

  • Set URL reservations:

    <Application> <Name>ReportServerWebService</Name> <VirtualDirectory>ReportServer</VirtualDirectory> <URLs> <URL> <UrlString>http://+:80</UrlString> <AccountSid>xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx</AccountSid> <AccountName>NT SERVICE\SQLServerReportingServices</AccountName> </URL> <URL> <UrlString>https://+:443</UrlString> <AccountSid>xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx</AccountSid> <AccountName>NT SERVICE\SQLServerReportingServices</AccountName> </URL> </URLs> </Application> <Application> <Name>ReportServerWebApp</Name> <VirtualDirectory>Reports</VirtualDirectory> <URLs> <URL> <UrlString>http://+:80</UrlString> <AccountSid>xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx</AccountSid> <AccountName>NT SERVICE\SQLServerReportingServices</AccountName> </URL> <URL> <UrlString>https://+:443</UrlString> <AccountSid>xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx</AccountSid> <AccountName>NT SERVICE\SQLServerReportingServices</AccountName> </URL> <URL> <UrlString>https://ssrs.domain.com:443</UrlString> <AccountSid>80-xxxxxx-xxxxxx-xxxxxx-xxxxxx-379003301</AccountSid> <AccountName>NT SERVICE\SQLServerReportingServices</AccountName> </URL> </URLs> </Application>

  • Set UrlRoot:

    <UrlRoot>https://[YourSSRSDomain]</UrlRoot>

  • Set ReportServerUrl:

    <ReportServerUrl>https://[YourSSRSDomain]</ReportServerUrl>

  • Open SSRS configuration manager

  • Start SSRS service

  • Go to Web Service URL and select the certificate and click "Apply"

  • Got to Web Portal URL and select the certificate and click "Apply"

  • Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa create a new DWORD called DisableLoopBackCheck and set its value to 1

  • Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy set the Enabled DWORD value to 0 if it isn’t already

 

TLS 1.2 and SSRS

To fix the issue where images arent being loaded properly by SSRS you need to do the following:

 

  1. Update the Registry with the following settings:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001

  1. Update the following file

C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\bin\ReportingServicesService.exe.conf

  1. Put this in the runtime section (at the top)

<AppContextSwitchOverrides value="Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols=false;Switch.System.Net.DontEnableSchUseStrongCrypto=false" />

  1. You may also need to make the server's client protocols only use tls 1.1 or tls 1.2

See Nartac's IISCrypto tool and its "Best Practices".

Related content