Saturday, February 25, 2012

Could not establish trust relationship with remote server.

I am trying to setup SQL Server 2000 Reporting services with an SSL
connection. The SQL Server (Windows Server 2003 SP2 Standard) and Reporting
Server (Windows Server 2003 R2 SP2 Standard) are on separate machines. I
have tried setting up Certificates from both and Stand-Alone and Enterprise
CA. I have tried several combinations of the Issue To name (server |
server.company | server.company.local) I have modified the
rsWebApplication.config and rsReportServer.config to match the certificateâ's
Issue to exactly. I have tried installs with both Domain Accounts and NT
AUTHORITY\SYSTEM logins. I have managed to get https://server/ReportServer
to work but I have had no luck with the report manager
https://server/reports. How do I fix this error?
ThankyouThe most likely reason this is failing is that your Report Server does not
trust the Root Certificate Authority that created the certificate you are
using.
If you go to https://machine/ReportServer and IE says "this certificate is
not valid are you sure you want to accept it?" then you will know that the
certificate is not 100% trusted and that is why you are receiving the error.
You will need to export the Trusted Root Authority certificate from the
issuing server and import it on the Report Server.
--
SQL Server Developer Support Engineer
"vbchewie" wrote:
> I am trying to setup SQL Server 2000 Reporting services with an SSL
> connection. The SQL Server (Windows Server 2003 SP2 Standard) and Reporting
> Server (Windows Server 2003 R2 SP2 Standard) are on separate machines. I
> have tried setting up Certificates from both and Stand-Alone and Enterprise
> CA. I have tried several combinations of the Issue To name (server |
> server.company | server.company.local) I have modified the
> rsWebApplication.config and rsReportServer.config to match the certificateâ's
> Issue to exactly. I have tried installs with both Domain Accounts and NT
> AUTHORITY\SYSTEM logins. I have managed to get https://server/ReportServer
> to work but I have had no luck with the report manager
> https://server/reports. How do I fix this error?
> Thankyou
>|||I went to the stand alone root certificate authority and exported the
certificate for that server. I then imported it into both the SQL Server and
Reporting Server. Now when I type the FQDN
(https://machine.domain.local/Reports ) I no longer get a certificate error,
but I do still get â'The underlying connection was closed: Could not establish
trust relationship with remote server.â'
Is there something else I can do? Does it have to be an Enterprise Root
Certificate Authority in order to work?
Thank You.
"Chris Alton [MS]" wrote:
> The most likely reason this is failing is that your Report Server does not
> trust the Root Certificate Authority that created the certificate you are
> using.
> If you go to https://machine/ReportServer and IE says "this certificate is
> not valid are you sure you want to accept it?" then you will know that the
> certificate is not 100% trusted and that is why you are receiving the error.
> You will need to export the Trusted Root Authority certificate from the
> issuing server and import it on the Report Server.
> --
> SQL Server Developer Support Engineer
>
> "vbchewie" wrote:
> > I am trying to setup SQL Server 2000 Reporting services with an SSL
> > connection. The SQL Server (Windows Server 2003 SP2 Standard) and Reporting
> > Server (Windows Server 2003 R2 SP2 Standard) are on separate machines. I
> > have tried setting up Certificates from both and Stand-Alone and Enterprise
> > CA. I have tried several combinations of the Issue To name (server |
> > server.company | server.company.local) I have modified the
> > rsWebApplication.config and rsReportServer.config to match the certificateâ's
> > Issue to exactly. I have tried installs with both Domain Accounts and NT
> > AUTHORITY\SYSTEM logins. I have managed to get https://server/ReportServer
> > to work but I have had no luck with the report manager
> > https://server/reports. How do I fix this error?
> >
> > Thankyou
> >|||You also need to make sure that the SSL certificate you are using matches
the machine name you are accessing it by EXACTLY. You will also need to
make sure that in the Reporting Services configuration tool that you have
checked the "Require Secure Socket Layer (SSL) Connections" and put the
same name you are accessing the server by in the "Certificate Name" field.
So in your example you would put "machine.domain.local" in the Certificate
Field and the certificate should be issued to "machine.domain.local".
The easiest way to tell if the certificate is valid is to open up
https://machine.domain.local/ReportServer from the web server and if IE
complains about the certificate at all then it will not work.
--
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.|||In RSReportServer.config I have my "SecureConnectionLevel" Value="3" and my
<UrlRoot>https://machine.domain.local/ReportServer</UrlRoot>
in RSWebApplication.config
I have
<ReportServerUrl>https://machine.domain.local/ReportServer</ReportServerUrl>
When I go to IIS on the Reporting Server and right click on Default Web Site
> Properties > Directory Security.
And click on 'View Certificate...' it says Issued to: machine.domain.local I
also checked the friendly name it also has machine.domain.local.
When I click 'Edit...' under 'Secure communications' both Require secure
channel(SSL) and Require 128-bit encryption are checked.
When I click 'Edit...' Under 'Authentication and access control' Enable
anonymous access is unchecked.
The same is true for my Virtual Directories 'Reports' and ReportServer'
When I go to https://machine/domain.local/Reports there are no certificate
errors. It goes straight though to a page that says
"The underlying connection was closed: Could not establish trust
relationship with remote server."
You mentioned Reporting Services Configuration Tool. This is Reporting
Services for SQL Server 2000. Is there a Reporting Services Configuration
Tool for this version? I thought that was for 2005.
Iâ'm not sure what I am missing. Any other ideas?
Thank you
"Chris Alton [MSFT]" wrote:
> You also need to make sure that the SSL certificate you are using matches
> the machine name you are accessing it by EXACTLY. You will also need to
> make sure that in the Reporting Services configuration tool that you have
> checked the "Require Secure Socket Layer (SSL) Connections" and put the
> same name you are accessing the server by in the "Certificate Name" field.
> So in your example you would put "machine.domain.local" in the Certificate
> Field and the certificate should be issued to "machine.domain.local".
> The easiest way to tell if the certificate is valid is to open up
> https://machine.domain.local/ReportServer from the web server and if IE
> complains about the certificate at all then it will not work.
> --
> Chris Alton, Microsoft Corp.
> SQL Server Developer Support Engineer
> This posting is provided "AS IS" with no warranties, and confers no rights.
>|||I didn't know you were using SQL 2000. The only thing I can think of is
that you need to install the Root CA Certificate in the Certificate Store
of the Machine account. What account do you have the SRS Windows Service
and the IIS Application Pool running under?
If it is LocalSystem or Network Service you can install the certificate by
following these steps:
a. Click Start->Run
b. Type mmc and hit enter.
c. Click File->Add/Remove Snap-in
d. Click the "Add" button.
e. Select "Certificates" from the list
f. Click the "Add" button.
g. Click the "Computer Account" radio button.
h. Click "Next"
i. Make sure "Local Computer" is selected and click "Finish"
j. Click "Close"
k. Click "Ok"
l. Branch down on Certificates.
m. Right click Trusted Root Certification Authorities->All
Tasks->Import...
n. Click "Next" and browse to the certificate you are importing.
o. Click "Next" and make sure the "Place all certificates in the
following store" is selected and "Trusted Root Certification Authorities"
is listed in the "Certificate Store" box. If not browse to it by clicking
the "Browse" button.
p. Click "Next" and then click "Finish"
q. The Trusted Root Authority Certificate should now be imported and
available to web application/service.
Hopefully that should get it now.
--
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.|||It works!!!
SRS is running under a domain\account. In order to get Kerberos to function
properly I used setspn to allow the domain\account to use the http service.
So I am not running under LocalSystem or Network Service.
I logged into the computer with the domain\account that is running both the
SRS Service and the ReportingServices Application Pool. I followed your
directions exactly with only one variation. Instead of picking "Computer
Account" at g. I chose "My Account". It looks like it is working now.
To recap for anyone else that runs into this issue:
SQL Server 2000 is on machine1
SharePoint and Reporting Services are on machine2 and are running under a
domain\account (very limited rights).
SSL Certificate was issued from a Stand-Alone Root Certificate Authority.
Thank you very much for your help,
"Chris Alton [MSFT]" wrote:
> I didn't know you were using SQL 2000. The only thing I can think of is
> that you need to install the Root CA Certificate in the Certificate Store
> of the Machine account. What account do you have the SRS Windows Service
> and the IIS Application Pool running under?
> If it is LocalSystem or Network Service you can install the certificate by
> following these steps:
> a. Click Start->Run
> b. Type mmc and hit enter.
> c. Click File->Add/Remove Snap-in
> d. Click the "Add" button.
> e. Select "Certificates" from the list
> f. Click the "Add" button.
> g. Click the "Computer Account" radio button.
> h. Click "Next"
> i. Make sure "Local Computer" is selected and click "Finish"
> j. Click "Close"
> k. Click "Ok"
> l. Branch down on Certificates.
> m. Right click Trusted Root Certification Authorities->All
> Tasks->Import...
> n. Click "Next" and browse to the certificate you are importing.
> o. Click "Next" and make sure the "Place all certificates in the
> following store" is selected and "Trusted Root Certification Authorities"
> is listed in the "Certificate Store" box. If not browse to it by clicking
> the "Browse" button.
> p. Click "Next" and then click "Finish"
> q. The Trusted Root Authority Certificate should now be imported and
> available to web application/service.
> Hopefully that should get it now.
> --
> Chris Alton, Microsoft Corp.
> SQL Server Developer Support Engineer
> This posting is provided "AS IS" with no warranties, and confers no rights.
>|||If the Windows Service and Application Pool all run under a domain account
then you really don't have to go through all those convoluted steps to
import the cert. That is only if you are using LocalSystem/Network Service
since those are considered the "Machine" account.
If you can log on to the account in an interactive session all you really
have to do to import the certificate is logon and then double click the
cer file and follow the prompts :)
Glad its working for you now though, those SSL issues with SRS can be quite
complicated sometimes.
--
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.
--
> Thread-Topic: Could not establish trust relationship with remote server.
> From: <vbchewie@.discussions.microsoft.com>
> Subject: RE: Could not establish trust relationship with remote server.
> Date: Tue, 2 Oct 2007 14:18:01 -0700
> It works!!!
> SRS is running under a domain\account. In order to get Kerberos to
function
> properly I used setspn to allow the domain\account to use the http
service.
> So I am not running under LocalSystem or Network Service.
> I logged into the computer with the domain\account that is running both
the
> SRS Service and the ReportingServices Application Pool. I followed your
> directions exactly with only one variation. Instead of picking "Computer
> Account" at g. I chose "My Account". It looks like it is working now.
> To recap for anyone else that runs into this issue:
> SQL Server 2000 is on machine1
> SharePoint and Reporting Services are on machine2 and are running under a
> domain\account (very limited rights).
> SSL Certificate was issued from a Stand-Alone Root Certificate Authority.
> Thank you very much for your help,
>
> "Chris Alton [MSFT]" wrote:
> > I didn't know you were using SQL 2000. The only thing I can think of is
> > that you need to install the Root CA Certificate in the Certificate
Store
> > of the Machine account. What account do you have the SRS Windows
Service
> > and the IIS Application Pool running under?
> >
> > If it is LocalSystem or Network Service you can install the certificate
by
> > following these steps:
> >
> > a. Click Start->Run
> > b. Type mmc and hit enter.
> > c. Click File->Add/Remove Snap-in
> > d. Click the "Add" button.
> > e. Select "Certificates" from the list
> > f. Click the "Add" button.
> > g. Click the "Computer Account" radio button.
> > h. Click "Next"
> > i. Make sure "Local Computer" is selected and click "Finish"
> > j. Click "Close"
> > k. Click "Ok"
> > l. Branch down on Certificates.
> > m. Right click Trusted Root Certification Authorities->All
> > Tasks->Import...
> > n. Click "Next" and browse to the certificate you are importing.
> > o. Click "Next" and make sure the "Place all certificates in the
> > following store" is selected and "Trusted Root Certification
Authorities"
> > is listed in the "Certificate Store" box. If not browse to it by
clicking
> > the "Browse" button.
> > p. Click "Next" and then click "Finish"
> > q. The Trusted Root Authority Certificate should now be imported
and
> > available to web application/service.
> >
> > Hopefully that should get it now.
> > --
> > Chris Alton, Microsoft Corp.
> > SQL Server Developer Support Engineer
> > This posting is provided "AS IS" with no warranties, and confers no
rights.
> >
> >
>

No comments:

Post a Comment