You are currently offline, waiting for your internet to reconnect

You receive an error message in the Reporting Services trace log when you restart the Report Server service after you change the user account that is used to run the Report Server service

SYMPTOMS
On a computer that is running Microsoft SQL Server 2000 Reporting Services, if you change the user account that you use to run the Report Server service, and then you restart the Report Server service, you may notice a behavior that is similar to the following:
  • If you change the user account that is used to run the Report Server Windows service, you may receive an error message that is similar to the following in the Reporting Services trace log:
    ReportingServicesService!crypto!d00!5/18/2004-13:10:54:: i INFO: Initializing  crypto as user: DomainName\UserNameReportingServicesService!crypto!d00!5/18/2004-13:10:54:: i INFO: Exporting  public keyReportingServicesService!crypto!d00!5/18/2004-13:10:55:: i INFO: Performing  sku validationReportingServicesService!crypto!d00!5/18/2004-13:10:55:: i INFO: Importing  existing encryption keyReportingServicesService!library!d00!5/18/2004-13:10:55:: e ERROR: Throwing  Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException:  The report server cannot decrypt the symmetric key used to access sensitive or  encrypted data in a report server database. You must either restore a backup key  or delete all encrypted content and then restart the service. Check the  documentation for more information., ; Info: Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException:  The report server cannot decrypt the symmetric key used to access sensitive or  encrypted data in a report server database. You must either restore a backup  key or delete all encrypted content and then restart the service. Check the  documentation for more information. ---> System.Runtime.InteropServices.COMException (0x80090005): Bad Data. at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode,   IntPtr errorInfo) at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob) at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey() --- End of inner exception stack trace ---ReportingServicesService!library!d00!5/18/2004-13:10:55:: Exception caught  while starting service. Error:  Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException:  The report server cannot decrypt the symmetric key used to access sensitive or  encrypted data in a report server database. You must either restore a backup   key or delete all encrypted content and then restart the service. Check the  documentation for more information. ---> System.Runtime.InteropServices.COMException (0x80090005): Bad Data. at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode,   IntPtr errorInfo) at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob) at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey() --- End of inner exception stack trace --- at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey() at Microsoft.ReportingServices.Library.ConnectionManager.ConnectStorage() at Microsoft.ReportingServices.Library.ConnectionManager.VerifyConnection() at Microsoft.ReportingServices.Library.ServiceController.ServiceStartThread()ReportingServicesService!library!d00!5/18/2004-13:10:55:: Attempting to start service again...
    Note By default, the Report Server Windows service trace log is recorded in the InstallationDrive:\Program Files\Microsoft SQL Server\InstanceOfSQLServer\Reporting Services\LogFiles\ReportServerService_TimeStamp.log file.
  • If you change the user account that is used to run the Report Server Web service, you may receive an error message that is similar to the following in the Reporting Services trace log:
    aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Initializing crypto as  user: UserNameaspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Exporting public keyaspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Performing sku validationaspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Importing existing encryption  keyaspnet_wp!library!c84!5/21/2004-05:26:15:: e ERROR:  Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException:  The report server cannot decrypt the symmetric key used to access sensitive  or encrypted data in a report server database. You must either restore a  backup key or delete all encrypted content and then restart the service.  Check the documentation for more information., ;Info: Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException:  The report server cannot decrypt the symmetric key used to access sensitive or  encrypted data in a report server database. You must either restore a backup  key or delete all encrypted content and then restart the service. Check the  documentation for more information. --->  System.Runtime.InteropServices.COMException (0x80090005): Bad Data.at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode,  IntPtr errorInfo)at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob)at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()   --- End of inner exception stack trace ---aspnet_wp!webserver!72c!5/21/2004-05:26:25:: i INFO: Reporting Web Server  stopped
    Note By default, the Report Server Web service trace log is recorded in the InstallationDrive:\Program Files\Microsoft SQL Server\InstanceOfSQLServer\Reporting Services\LogFiles\ReportServer_TimeStamp.log file.

    Additionally, when you start the Report Manager, you may receive an error message that is similar to the following:

    The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service. Check the documentation for more information. (rsReportServerDisabled) Get Online Help
    Bad Data.
CAUSE
The Report Server service uses the symmetric key to access the encrypted data in a report server database. This symmetric key is encrypted by using an asymmetric public key that corresponds to the computer and the user account that is used to run the Report Server service. When you change the user account that is used to run the Report Server service, the report server cannot use the asymmetric public key to decrypt the symmetric key. Therefore, the Report Server service cannot use the symmetric key to access the data from the report server database.
RESOLUTION
To resolve this problem, you must back up the encrypted keys before you change the user account that is used to run the Report Server Windows service or the Report Server Web service, and then you must apply the keys that were backed up. To do this, on the computer that is running the Reporting Services, follow these steps:
  1. Start the Report Server Windows service and the Report Server Web service by using the user account that the service was running successfully for.
  2. Use the rskeymgmt command-line utility to back up the encryption keys. To do this, run the following command at the command prompt:
    RSKeyMgmt -e -f FileName -p StrongPassword
    Note: Replace FileName and StrongPassword with an appropriate file name and an appropriate password. By default, the rskeymgmt command-line utility is located in the InstallationDrive:\Program Files\Microsoft SQL Server\80\Tools\Binn folder.

    For more information about the rskeymgmt command-line utility, run the following command at the command prompt:
    RSKeyMgmt /?
  3. Use the rskeymgmt command-line utility to remove the reference to the existing keys. To do this, run the following command at the command prompt:
    RSKeyMgmt -r InstallationID
    Note Replace InstallationID with the installation ID that is provided in the InstallationID setting of the RSReportServer.config file. By default, the RSReportServer.config file is stored in the InstallationDrive:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer folder.
  4. Stop Microsoft Internet Information Services (IIS).
  5. Stop the Report Server Windows service.
  6. Change the user account that is used to run the Report Server Windows service or the Report Server Web service to the user account that you want.
  7. Start IIS.
  8. Start the Report Server Windows service.
  9. Use the rskeymgmt command-line utility to apply the encryption keys that were backed up in step 2. To do this, run the following command at the command prompt:
    RSKeyMgmt -a -f FileName -p StrongPassword
    Note Replace FileName and StrongPassword with the file name and the password that you used to back up the symmetric encryption keys in step 1.
STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
security context under
REFERENCES
For more information about Reporting Services trace logs, visit the following Microsoft Developer Network (MSDN) Web site:For more information about the RSReportServer.config configuration file, visit the following Microsoft Web site:
Properties

Article ID: 842421 - Last Review: 03/29/2007 10:06:29 - Revision: 1.3

  • Microsoft SQL Server 2000 Reporting Services
  • kbtshoot kbconfig kbservice kbreport kbmsg kbuser kbsettings kblogin kberrmsg kbprb KB842421
Feedback