You receive an error message in the Reporting Services trace log when you restart the Report Server service after you change the user account that is used to run the Report Server service

Article translations Article translations
Article ID: 842421 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

On a computer that is running Microsoft SQL Server 2000 Reporting Services, if you change the user account that you use to run the Report Server service, and then you restart the Report Server service, you may notice a behavior that is similar to the following:
  • If you change the user account that is used to run the Report Server Windows service, you may receive an error message that is similar to the following in the Reporting Services trace log:
    ReportingServicesService!crypto!d00!5/18/2004-13:10:54:: i INFO: Initializing 
     crypto as user: DomainName\UserName
    ReportingServicesService!crypto!d00!5/18/2004-13:10:54:: i INFO: Exporting 
     public key
    ReportingServicesService!crypto!d00!5/18/2004-13:10:55:: i INFO: Performing 
     sku validation
    ReportingServicesService!crypto!d00!5/18/2004-13:10:55:: i INFO: Importing 
     existing encryption key
    ReportingServicesService!library!d00!5/18/2004-13:10:55:: e ERROR: Throwing 
     Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: 
     The report server cannot decrypt the symmetric key used to access sensitive or 
     encrypted data in a report server database. You must either restore a backup key 
     or delete all encrypted content and then restart the service. Check the 
     documentation for more information., ; Info: 
    Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: 
     The report server cannot decrypt the symmetric key used to access sensitive or 
     encrypted data in a report server database. You must either restore a backup 
     key or delete all encrypted content and then restart the service. Check the 
     documentation for more information. ---> 
    System.Runtime.InteropServices.COMException (0x80090005): Bad Data.
     at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode, 
      IntPtr errorInfo)
     at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob)
     at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
     --- End of inner exception stack trace ---
    ReportingServicesService!library!d00!5/18/2004-13:10:55:: Exception caught 
     while starting service. Error: 
     Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: 
     The report server cannot decrypt the symmetric key used to access sensitive or 
     encrypted data in a report server database. You must either restore a backup  
     key or delete all encrypted content and then restart the service. Check the 
     documentation for more information. ---> 
    System.Runtime.InteropServices.COMException (0x80090005): Bad Data.
     at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode, 
      IntPtr errorInfo)
     at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob)
     at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
     --- End of inner exception stack trace ---
     at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
     at Microsoft.ReportingServices.Library.ConnectionManager.ConnectStorage()
     at Microsoft.ReportingServices.Library.ConnectionManager.VerifyConnection()
     at Microsoft.ReportingServices.Library.ServiceController.ServiceStartThread()
    ReportingServicesService!library!d00!5/18/2004-13:10:55:: Attempting to start
     service again...
    Note By default, the Report Server Windows service trace log is recorded in the InstallationDrive:\Program Files\Microsoft SQL Server\InstanceOfSQLServer\Reporting Services\LogFiles\ReportServerService_TimeStamp.log file.
  • If you change the user account that is used to run the Report Server Web service, you may receive an error message that is similar to the following in the Reporting Services trace log:
    aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Initializing crypto as 
     user: UserName
    aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Exporting public key
    aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Performing sku validation
    aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Importing existing encryption 
     key
    aspnet_wp!library!c84!5/21/2004-05:26:15:: e ERROR: 
     Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: 
     The report server cannot decrypt the symmetric key used to access sensitive 
     or encrypted data in a report server database. You must either restore a 
     backup key or delete all encrypted content and then restart the service. 
     Check the documentation for more information., ;
    Info: Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: 
     The report server cannot decrypt the symmetric key used to access sensitive or 
     encrypted data in a report server database. You must either restore a backup 
     key or delete all encrypted content and then restart the service. Check the 
     documentation for more information. ---> 
     System.Runtime.InteropServices.COMException (0x80090005): Bad Data.
    at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode, 
     IntPtr errorInfo)
    at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob)
    at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
       --- End of inner exception stack trace ---
    aspnet_wp!webserver!72c!5/21/2004-05:26:25:: i INFO: Reporting Web Server 
     stopped
    Note By default, the Report Server Web service trace log is recorded in the InstallationDrive:\Program Files\Microsoft SQL Server\InstanceOfSQLServer\Reporting Services\LogFiles\ReportServer_TimeStamp.log file.

    Additionally, when you start the Report Manager, you may receive an error message that is similar to the following:

    The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service. Check the documentation for more information. (rsReportServerDisabled) Get Online Help
    Bad Data.

CAUSE

The Report Server service uses the symmetric key to access the encrypted data in a report server database. This symmetric key is encrypted by using an asymmetric public key that corresponds to the computer and the user account that is used to run the Report Server service. When you change the user account that is used to run the Report Server service, the report server cannot use the asymmetric public key to decrypt the symmetric key. Therefore, the Report Server service cannot use the symmetric key to access the data from the report server database.

RESOLUTION

To resolve this problem, you must back up the encrypted keys before you change the user account that is used to run the Report Server Windows service or the Report Server Web service, and then you must apply the keys that were backed up. To do this, on the computer that is running the Reporting Services, follow these steps:
  1. Start the Report Server Windows service and the Report Server Web service by using the user account that the service was running successfully for.
  2. Use the rskeymgmt command-line utility to back up the encryption keys. To do this, run the following command at the command prompt:
    RSKeyMgmt -e -f FileName -p StrongPassword
    Note: Replace FileName and StrongPassword with an appropriate file name and an appropriate password. By default, the rskeymgmt command-line utility is located in the InstallationDrive:\Program Files\Microsoft SQL Server\80\Tools\Binn folder.

    For more information about the rskeymgmt command-line utility, run the following command at the command prompt:
    RSKeyMgmt /?
  3. Use the rskeymgmt command-line utility to remove the reference to the existing keys. To do this, run the following command at the command prompt:
    RSKeyMgmt -r InstallationID
    Note Replace InstallationID with the installation ID that is provided in the InstallationID setting of the RSReportServer.config file. By default, the RSReportServer.config file is stored in the InstallationDrive:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer folder.
  4. Stop Microsoft Internet Information Services (IIS).
  5. Stop the Report Server Windows service.
  6. Change the user account that is used to run the Report Server Windows service or the Report Server Web service to the user account that you want.
  7. Start IIS.
  8. Start the Report Server Windows service.
  9. Use the rskeymgmt command-line utility to apply the encryption keys that were backed up in step 2. To do this, run the following command at the command prompt:
    RSKeyMgmt -a -f FileName -p StrongPassword
    Note Replace FileName and StrongPassword with the file name and the password that you used to back up the symmetric encryption keys in step 1.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For more information about Reporting Services trace logs, visit the following Microsoft Developer Network (MSDN) Web site:
http://msdn2.microsoft.com/en-us/library/aa972243(SQL.80).aspx
For more information about the RSReportServer.config configuration file, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa972212(SQL.80).aspx

Properties

Article ID: 842421 - Last Review: March 29, 2007 - Revision: 1.3
APPLIES TO
  • Microsoft SQL Server 2000 Reporting Services
Keywords: 
kbtshoot kbconfig kbservice kbreport kbmsg kbuser kbsettings kblogin kberrmsg kbprb KB842421

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com