Environment:
Reporting Services running on a SQL Server 2008 R2 SP3 installation on a Windows 2008 server with .Net 4.6.1 installed and .Net 3.5 enabled as feature. IIS, database and reporting service all in the local machine (custom login URL in a different machine but seems that this is unrelated).
Changes done:
Due to security reasons we are force to move to TLS 1.2 so we did with IISCrypto enabling just TLS 1.2
Outcome:
From this moment we get an error only when trying to access the Report Management site. On the browser we get an error 500 saying:
The underlying connection was closed: An unexpected error occurred on a receive
On the SSRS logs we can see the following exception:
System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
The callstack starts on the ReportServer OnInit() so it is failing right starting away and the error happens on the Reporting Services initialization.
Enabling traces on the .Net Framework I found the following messages where it is shown that the fail happens when SSRS calls its own web services:
System.Net Information: 0 : [5076] HttpWebRequest#38854310 - Request: POST /ReportServer/ReportService2010.asmx HTTP/1.1
System.Net Information: 0 : [4124]
SecureChannel#52830003::.ctor(hostname=themachineshostname, #clientCertificates=0)
System.Net Information: 0 : [4124] Enumerating security packages:
System.Net Information: 0 : [4124] Negotiate
System.Net Information: 0 : [4124] NegoExtender
System.Net Information: 0 : [4124] Kerberos
System.Net Information: 0 : [4124] NTLM
System.Net Information: 0 : [4124] Schannel
System.Net Information: 0 : [4124] Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [4124] WDigest
System.Net Information: 0 : [4124] TSSSP
System.Net Information: 0 : [4124] pku2u
System.Net Information: 0 : [4124] CREDSSP
System.Net Information: 0 : [4124] SecureChannel#52830003 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [4124] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent = Outbound, scc = System.Net.SecureCredential)
System.Net Error: 0 : [4124] AcquireCredentialsHandle() failed with error 0X80090331.
Things already checked:
The certificate in use is still valid and it's signature chain is placed in the proper "Intermediate" and "Root" stores.
Running the Application Pool as an administrator does not help.
Using a custom signed certificate generated from IIS does not help.
Important: The issue only happens on the Reporting Services Management site, the reports work fine
Next Steps
Any ideas on what else to try? Is there a way to know why the security packages where not selected?
Update
The issue is not related to TLS1.2 as enabling TLS 1 again I get the same error. I'm guessing that the login URL is somehow involved.
Let’s ensure 2 things are set properly in the registry (on both your Report Server and IIS custom login server). Reboot is required after reach setting change (do one at a time to see what works).
TLS 1.2 Client/Server Enablement in Registry
Go to HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
and ensure TLS 1.2 is enabled and the other providers are disabled. If TLS 1.2 is not present create it.
Details here
Ensure UseStrongCrypto is Enabled for .NET
Go to here and ensure strong crypto is enabled.
Note: I am on mobile device so hard to type an in depth answer. If these things work for you I can add more detail into the answer later.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With