Advanced SSRS Setup - Wildcard Certificates and TLS 1.2

Owned by Vincent Josset
Feb 23, 2023
3 min read

  • Stop SSRS service

  • Add URL reservations and permissions (may need to remove previous 443 URL reservations first):

    C:\Windows\system32>netsh http add urlacl url=https://[YourSSRSDomain]:443/ReportServer user=[YourSSRSUser] URL reservation successfully added C:\Windows\system32>netsh http add urlacl url=https://[YourSSRSDomain]:443/Reports user=[YourSSRSUser] URL reservation successfully added

  • In rsreportserver.config, set SecureConnectionLevel to 3:

    <Add Key="SecureConnectionLevel" Value="3"/>

  • Set URL reservations:

    <Application> <Name>ReportServerWebService</Name> <VirtualDirectory>ReportServer</VirtualDirectory> <URLs> <URL> <UrlString>http://+:80</UrlString> <AccountSid>xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx</AccountSid> <AccountName>NT SERVICE\SQLServerReportingServices</AccountName> </URL> <URL> <UrlString>https://+:443</UrlString> <AccountSid>xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx</AccountSid> <AccountName>NT SERVICE\SQLServerReportingServices</AccountName> </URL> </URLs> </Application> <Application> <Name>ReportServerWebApp</Name> <VirtualDirectory>Reports</VirtualDirectory> <URLs> <URL> <UrlString>http://+:80</UrlString> <AccountSid>xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx</AccountSid> <AccountName>NT SERVICE\SQLServerReportingServices</AccountName> </URL> <URL> <UrlString>https://+:443</UrlString> <AccountSid>xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx</AccountSid> <AccountName>NT SERVICE\SQLServerReportingServices</AccountName> </URL> <URL> <UrlString>https://ssrs.domain.com:443</UrlString> <AccountSid>80-xxxxxx-xxxxxx-xxxxxx-xxxxxx-379003301</AccountSid> <AccountName>NT SERVICE\SQLServerReportingServices</AccountName> </URL> </URLs> </Application>

  • Set UrlRoot:

  • Set ReportServerUrl:

  • Open SSRS configuration manager

  • Start SSRS service

  • Go to Web Service URL and select the certificate and click "Apply"

  • Got to Web Portal URL and select the certificate and click "Apply"

  • Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa create a new DWORD called DisableLoopBackCheck and set its value to 1

  • Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy set the Enabled DWORD value to 0 if it isn’t already

 

TLS 1.2 and SSRS

To fix the issue where images arent being loaded properly by SSRS you need to do the following:

 

  1. Update the Registry with the following settings:

  1. Update the following file

C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\bin\ReportingServicesService.exe.conf

  1. Put this in the runtime section (at the top)

  1. You may also need to make the server's client protocols only use tls 1.1 or tls 1.2

See Nartac's IISCrypto tool and its "Best Practices".