Configuring a Report Server for Secure Sockets Layer (SSL) Connections

Reporting Services uses the HTTP SSL (Secure Sockets Layer) service to establish encrypted connections to a report server. If you have certificate (.cer) file installed in a local certificate store on the report server computer, you can bind the certificate to a Reporting Services URL reservation to support report server connections through an encrypted channel.

Because Internet Information Services (IIS) also uses HTTP SSL, there are significant interoperability issues that you must account for if you run IIS and Reporting Services on the same computer. Be sure to review the Interoperability Issues with IIS section for guidance on how to address these issues.

Server Certificate Requirements

You must have a server certificate installed on the computer (client certificates are not supported). Reporting Services does not provide functionality for requesting, generating, downloading, or installing a certificate. Windows Server 2003 provides a Certificates snap-in that you can use to request a certificate from a trusted certificate authority.

For testing purposes, you can generate a certificate locally. For instructions, see the section "Obtaining a Certificate" in Configuring Certificate for Use by SSL. If you use the MakeCert utility and the sample command as a template, be sure to specify your server name as the host and remove all line breaks before running the command. If you run the command in a DOS window, you might need to increase the buffer size of the window to accommodate the entire command.

If you are running IIS and Reporting Services together on the same computer, you can use the IIS Manager console application to get the certificate installed on your computer. IIS Manager includes options for creating and packaging a certificate request (.crt) file for subsequent processing by a trusted certificate authority. The certificate authority that you are using will generate a certificate (.cer) file and send it back to you. You can use IIS Management console to install the certificate file in the local store. For more information, see Using SSL to Encrypt Confidential Data on Technet.

Interoperability Issues with IIS

The presence of IIS on the same computer as Reporting Services will significantly affect SSL connections to a report server:

  • If IIS is installed, the World Wide Web (W3SVC) service must always be running. The HTTP SSL service will make a dependency on IIS if it detects that IIS is running. This means that the World Wide Web service (W3SVC) must be running whenever IIS and Reporting Services are installed on the same computer and you are configuring report server URLs for SSL connections.

  • Uninstalling IIS can temporarily disrupt service to an SSL-bound report server URL. For this reason, it is strongly recommended that you restart the computer after you uninstall IIS.

    Rebooting the computer is necessary to clear all SSL sessions from cache. Some operating systems cache SSL sessions up to 10 hours, causing an https:// URL to continue to work even after the SSL binding has been removed from the URL reservation in HTTP.SYS. Rebooting the computer closes any open connections that use the channel.

Bind SSL to a Reporting Services URL Reservation

The following steps do not include instructions for requesting, generating, downloading, or installing a certificate. You must have a certificate installed and available to use. The certificate properties that you specify, the certificate authority you obtain it from, and the tools and utilities you use to request and install the certificate are up to you.

You can use the Reporting Services Configuration tool to bind the certificate. If the certificate is installed correctly in the local computer store, the Reporting Services Configuration tool will detect it and display it in the SSL Certificates list on the Web Service URL and Report Manager URL pages.

To configure a report server URL for SSL

  1. Start the Reporting Services Configuration tool and connect to the report server.

  2. Click Web Service URL.

  3. Expand the list of SSL Certificates. Reporting Services detects server authentication certificates in the local store. If you installed a certificate and you do not see it in the list, you might need to restart the service. You can use the Stop and Start buttons on the Report Server Status page in the Reporting Services Configuration tool to restart the service.

  4. Select the certificate.

  5. Click Apply.

  6. Click the URL to verify it works.

Report server database configuration is a requirement for testing the URL. If you have not yet created the report server database, do so before testing the URL.

URL reservations for Report Manager and the Report Server Web service are configured independently. If you want to also configure Report Manager access through an SSL-encrypted channel, continue with the following steps:

  1. Click Report Manager URL.

  2. Click Advanced.

  3. In Multiple SSL Identities for Report Manager, click Add.

  4. Select the certificate, click OK, and then click Apply.

  5. Click the URL to verify it works.

How Certificate Bindings Are Stored

Certificate bindings will be stored in HTTP.SYS. A representation of the bindings you defined will also be stored in the URLReservations section of the RSReportServer.config file. The settings in the configuration file are only a representation of actual values that are specified elsewhere. Do not modify the values in the configuration file directly. The configuration settings will appear in the file only after you use the Reporting Services Configuration tool or the Report Server Windows Management Instrumentation (WMI) provider to bind a certificate.

Note

If you configure a binding with an SSL certificate in Reporting Services and you later want to remove the certificate from the computer, make sure to remove the binding from Reporting Services before you remove the certificate from the computer. Otherwise, you will be unable to remove the binding by using the Reporting Services Configuration tool or WMI and you will receive an "Invalid parameter" error. If you have already removed the certificate from the computer, you can use the Httpcfg.exe tool to remove the binding from HTTP.SYS. For more information about Httpcfg.exe, see the Windows product documentation.