How to troubleshoot IIS configuration issues in SQL Server 2005 Reporting Services
This article is written mainly to help you diagnose IIS 6.0 configuration issues under Reporting Services native mode. This article also usually applies to IIS 5.0 and to IIS 7.0. However, certain diagnostic steps may be written only for IIS 6.0, such as the steps to verify Microsoft ASP.NET installation by using IIS Manager.This article also discusses some common configuration problems with authentication, with ASP.NET, and with Internet Explorer.
1 General approachIIS configuration issues usually appear as a failure to connect to or to execute Report Server or Report Manager. To successfully diagnose these configuration issues, you must review the architecture of Reporting Services and the way that Reporting Services is integrated with IIS. This article tries to identify common IIS configuration problems that may cause failure in Reporting Services. Some non-IIS issues are also discussed.
1.1 Request flowAn HTTP request from a user travels through many layers. Knowing which layer failed the request can help you determine the nature of the failure. The following diagram is a simplified diagram of the flow of a request:
Reporting Services installs one virtual directory for Report Server and one virtual directory for Report Manager. The default virtual directory name for Report Server is “reportserver.” The default virtual directory name for Report Manager is “reports.”
Typically, you start to diagnose Reporting Services problems by sending a request to the Report Server root directory in Internet Explorer. By default, the URL is http://<server>/reportserver. If Report Server is working, you can then use Internet Explorer to send a request to http://<server>/reports. If you have configured Report Server to use Secure Sockets Layer (SSL), you must first make sure that the server can run in non-SSL mode. If you have configured a scale-out deployment, you must first make sure that Report Server can run on individual nodes. Diagnosing problems in this order helps you isolate the problems faster.
1.2 Common symptomsThis section lists the common symptoms that occur when requests fail in a certain layer. This section also tells you where to look for error messages.
1.2.1 FirewallIf you access Report Server from a remote client computer, verify that the firewall does not block the request. A blocked request is logged in the firewall log.
For more information about how to find the firewall log, click the following article number to view the article in the Microsoft Knowledge Base:
1.2.2 HTTP.sysIIS 6.0 that is not running in IIS 5.0 isolation mode and IIS 7.0 use the HTTP kernel-mode driver (HTTP.sys) to perform HTTP network input/output. The HTTP service is started automatically. You do not have to perform manual configuration. If Reporting Services is configured to use SSL, you must make sure that the HTTP SSL service is started.
The HTTP.sys process can return an error to the client even if IIS is not involved. This can occur when the URL is malformed, or when the IIS Web site identity is configured incorrectly. The errors are logged in the HTTP.sys error log.
For more information about the HTTP.sys error log files, visit the following Microsoft Web site:
1.2.3 IIS and application poolsBefore you examine the IIS configuration, you must make sure that the IIS Admin service and the application pool are running. Also, you must verify that the Web site identity is correct. You must be careful with the Web site identity if the Web site that is hosting Report Services is not the default Web site, or if you do not specify “All Unassigned” for the Web site identity. If you configured Report Server and Report Manager on different Web sites, try to configure Report Server and Report Manager on the same Web site. If other applications share the same Web site with Reporting Services, try to configure the Report Services virtual directories on a new Web site. If you have third-party ISAPI extensions or filters, try to remove the third-party ISAPI extensions or filters.
If multiple configuration issues occur with IIS, you can reinstall IIS. When you do this, you must reconfigure ASP.NET and the Report Services virtual directories.
For more information about the IIS log file location, click the following article number to view the article in the Microsoft Knowledge Base:
1.2.4 ASP.NETAn error message in Internet Explorer can indicate that a problem occurs in ASP.NET. If you have previously uninstalled IIS or ASP.NET on the computer, you must validate ASP.NET configuration settings. You can fix most ASP.NET configuration problems by using the aspnet_regiis.exe file to reregister ASP.NET in IIS. For more information about ASP.NET validation, see Section 4 of this article.
You can use a simple .aspx page to perform a sanity check of the IIS and ASP.NET configuration. To do this, follow these steps:
- Create a new virtual directory on the Web site that hosts the Reporting Services virtual directories.
- Grant Read permission and Execute permission to the virtual directory.
- Deploy a simple .aspx page to the virtual directory.
1.2.5 Report Server virtual directoriesIf Reporting Services virtual directories were not configured by using the Reporting Services Windows Management Instrumentation (WMI) provider or the Reporting Services configuration tool, you must follow the instructions in Section 4.1 to verify the settings of the virtual directories. If multiple configuration issues occur, you can re-create the virtual directories by using WMI or by using the Reporting Services configuration tool.
To resolve problems, first verify and fix the Report Server virtual directory. Then, when Report Server is working, you can examine and fix the Report Manager virtual directory. When Report Manager cannot communicate with Report Server, the error is usually logged in the Reporting Services log files.
For more information about Reporting Services trace logs, visit the following MSDN Web site:
System.Net.WebException: The request failed with <some error>
For more information, visit the following Web site:
2 Web site configuration issues
2.1 Web site identity issuesIf an error message indicates that Internet Explorer cannot reach Report Server or Report Manager, you must validate the Web site settings for Reporting Services. The following are some error messages that you may receive.
In Report Manager, you receive the following error message:
If the URL is specified by an IP address, verify the following:
- Make sure that the IP address resolves to the computer that hosts the Reporting Services virtual directories. You can use the ipconfig.exe command to list the network interfaces of a computer.
- Make sure that the Web sites that host Reporting Services use the All Unassigned setting or the IP address that you specified in the Web site identification pane.
- Make sure that the host name resolves to the Reporting Services computer. You can use the ping.exe command to resolve the host name to the IP address. Then, make sure that the IP address resolves to the computer that hosts the Reporting Services virtual directories.
- Make sure that the Web site uses the All Unassigned setting for the Web site identification, or that the Web site specifies a host header that matches the host header in the request. The host header that the request uses is usually the server name that is specified in the URL. In a Network Load Balancing (NLB) scenario, the host header is usually the virtual node name. The host header can also be defined in the Hosts file.
Note IIS 5.0 uses an interface that resembles IIS 6.0 to define Web site identities.
2.2 Issues that occur after you reinstall IISIf you have reinstalled IIS, you may have to reconfigure ASP.NET, Report Server virtual directories, and Report Manager virtual directories.
Information for IIS installationFor more information about how to install IIS 6.0, visit the following Microsoft Web site:
Information about how to rebuild Reporting Services virtual directoriesFor more information, visit the following Microsoft Web sites:
2.3 Issues with ISAPI filtersThird-party ISAPI filters may cause problems on Report Server virtual directories. If third-party ISAPI filters are present, try to remove the filters from the Web site that hosts Reporting Services virtual directories. Or, move Reporting Services virtual directories to a new Web site.
3 Authentication issues
3.1 You must enter credentials in Internet Explorer to access Reporting ServicesWhen Reporting Services is configured to use Windows Integrated authentication, Internet Explorer is usually not configured to prompt for credentials. To determine whether Internet Explorer is configured to always prompt for credentials, follow these steps:
- Open Internet Explorer.
- On the Tools menu, click Internet Options.
- On the Security tab, select the zone that applies to the URL that is used to access Report Server. For example, if you are using a NetBIOS name to access Report Server, select the Local Intranet zone.
- Click Custom Level.
- In the User Authentication area of the Security Settings dialog box, click Automatic logon only in Intranet zone in the Logon area. If your URL is in the intranet zone, you can click Automatic logon with current username and password.
3.2 You receive an HTTP 401 error message after you enter credentials in Internet ExplorerIf you receive an HTTP 401 error message after you have received repeated prompts by Internet Explorer, an authentication failure has occurred. For example, if you install Report Services in native mode, you may be prompted for credentials three times before you receive an HTTP 401 error message in Internet Explorer. When this problem occurs, the IIS log shows "HTTP 401" as the IIS response. To troubleshoot this issue, verify the following:
- Make sure that you entered the correct user name and password.
- Follow the steps in section 3.1 of this article. Make sure that you do not select Anonymous logon in the security settings for your zone.
If you are using FQDN or a custom host header that does not match the computer name, a loopback check problem may occur. When this problem occurs, you can typically access the Reporting Services Web sites by using the IP address. However, you cannot access the Web sites by using an FQDN or a host name.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
3.2.1 Kerberos authenticationWhen the negotiated authentication protocol is Kerberos, you may receive an HTTP 401 error message because of Kerberos authentication issues. The following are some of these issues:
- If your application pool is based on a domain account, you may receive an HTTP 401 error message if the HTTP service principal name (SPN) is not configured. When this problem occurs, you receive the following Kerberos error code: KRB_ERR_APP_MODIFIEDYou may be able to access the server by using the following URL:http://localhost/<reportserver_vdir>However, you cannot access the server by using the following URL:http://<NetBIOS>/<reportserver_vdir>To fix or work around these issues, use one of the following methods:
- Configure the HTTP SPN to enable Kerberos authentication. If you use the NetBIOS name and the FQDN in your URL to access Reporting Services, you must register the HTTP SPN for both the NetBIOS name and for the FQDN. You cannot configure the HTTP SPN for the different accounts on the same computer. Therefore, different application pools must run under the same account to use the same HTTP SPN. For more information, click the following article number to view the article in the Microsoft Knowledge Base:871179 You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS 6.0 application pool
- Change your application pool identity to NetworkServices or to LocalSystem. These accounts can use the built-in HOST SPN instead of the HTTP SPN.
- Force IIS to accept NTLM authentication only. For more information, visit the following Microsoft Web site:
- Configure the HTTP SPN to enable Kerberos authentication. If you use the NetBIOS name and the FQDN in your URL to access Reporting Services, you must register the HTTP SPN for both the NetBIOS name and for the FQDN. You cannot configure the HTTP SPN for the different accounts on the same computer. Therefore, different application pools must run under the same account to use the same HTTP SPN. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
- You receive the following Kerberos error code in the event log:KRB_ERR_RESPONSE_TOO_BIGTo resolve or work around this issue, follow these steps:
- Enable Kerberos logging. For more information, click the following article number to view the article in the Microsoft Knowledge Base:262177 How to enable Kerberos event logging
- Examine the log. If you see the KRB_ERR_RESPONSE_TOO_BIG error code, see the following Microsoft Knowledge Base article for a workaround for this problem: 244474 How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000
- Enable Kerberos logging. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
3.2.2 Basic authenticationIf Reporting Services is configured to use Basic authentication, an authentication failure is logged in the security event log on the server that is running IIS. View the error message. If the local security policy does not allow the authentication, you must either allow that logon type inside the local security policy, or change the logon type inside the IIS configuration.
3.3 You receive an "Access denied" error message in Internet Explorer for IUSR or for another IIS anonymous userIf this error message occurs unexpectedly, determine whether anonymous security is enabled on Reporting Services virtual directories. If this setting is enabled, disable it.
3.4 Kerberos delegation issues occurThese issues are usually known as “double hop” issues. Kerberos delegation issues may occur when the following conditions are true:
- You configured integrated security for the data sources in your report.
- Your report accesses a remote server for a data source. For example, your report accesses Analysis Services or a Microsoft SQL Server database server.
- When you access the report, you receive one of the following error messages:
Error message 1Login failed for user (null)Error message 2Login failed for user "NTAUTHORITY\ANONYMOUS"
- When you check the security event log on the server that hosts the data source, you see events that indicate that an anonymous user was logging on.
For more information, visit the following Microsoft Web sites or KB articles:For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
- Configure stored credentials for your data source.
- Configure Reporting Services to use Basic authentication. The default logon method is the NetworkClearText method. This method allows for you to make one additional hop from the report server.
4 ASP.NET configuration issues
4.1 General errorsASP.NET configuration issues have various symptoms. For example, one of the following may occur:
- You may receive an HTTP 404 error message.
- You may receive the following error message: Could not load resource Microsoft.ReportingServices.UI.GlobalApp
- You may receive other exception error messages from ASP.NET.
- In IIS Manager, right-click the Web Sites node, and then click Properties. In the Web Sites Properties window, click the ASP.NET tab, and then verify that the ASP.NET version is 2.0.50727.
- In IIS Manager, right-click the Web Sites node, and then click Properties. In the Web Sites Properties window, click the ISAPIFilters tab. Locate and then click the ASP.NET_2.0.50727.0 filter. Verify that the Executable box contains a valid path for the ASP.NET filter .dll file.
Note In IIS 5.1, the filter does not exist.
Note In IIS 7.0, you can see the filter by clicking the ISAPI Filters icon on the properties page of the Web site.
- In IIS Manager, locate and then right-click the virtual directory for Report Server, and then click Properties. In the dialog box, click the Virtual Directory tab, and then click Configuration. Verify that the Application Extensions pane is empty. Verify that the Wildcard Application Maps pane has a single wildcard mapping. Select the wildcard mapping, and then click Edit. Verify that the Execute box contains the correct path for the aspnet_isapi.dll file.Verify that the Verify that file exists check box is not selected.
- In IIS Manager, locate and then right-click the virtual directory for Report Manager, and then click Properties. In the dialog box, click the Virtual Directory tab, and then click Configuration. Verify that the Application Extensions pane contains the default mappings. This is a list of mappings for common ASP.NET file types, such as .aspx and .asax. To regenerate the default mapping, use the following command to create the correct script maps:aspnet_regiis.exe –s <report manager path>Note In IIS 7.0, the mappings are under the Handler Mappings icon.
- In the IIS Web server extensions, make sure that ASP.NET 2.0.50727 is enabled.
- If you are running a 32-bit version of Reporting Services on a 32-bit operating system or on a 64-bit operating system, execute the following command at a command prompt:%SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe -i –enable
- If you are running a 64-bit version of Reporting Services on a 64-bit operating system, execute the following command at a command prompt:%SystemRoot%\Microsoft.NET\Framework64\v2.0.50727\aspnet_regiis.exe -i –enable
4.2 You receive a "The current identity (NT AUTHORITY\NETWORK SERVICE) does not have write access to '<path>\v2.0.50727\Temporary ASP.NET Files'" error messageThe error is caused by an invalid ASP.NET configuration. To resolve the issue, grant Write and Execute permissions to the Temporary ASP.NET Files folder that the error message indicates.
5 SSL issues
5.1 Problems occur with client certificatesIf you configured client certificates on your virtual directories, Report Manager may not authenticate to Report Server. This problem occurs because Report Manager is not designed to pass client certificates when Report Manager communicates with Report Server through HTTP requests. Therefore, if you configure IIS to enable the Require Client Certificates option, you cannot use Report Manager. To work around this problem, you can clear the Require Client Certificates check box for the Report Server virtual directory.
5.2 You receive a “connection forcibly closed” error message or errors that indicate an SSL connection failureIn Internet Explorer, you receive one of the following error messages:
Error message 1
- Make sure that the certificate is issued to the host name or to the host header in the URL that you use to access Report Manager or Report Server.
- Make sure that the certificate is issued to the host name or to the host header in the URL that Report Manager uses to access Report Server.
Note This URL can be defined by the ReportServerUrl element in the RsWebApplication.config file. If this URL is undefined, the host name of this URL is the host name that the client uses to access Report Manager. Because the host name can vary if you use different URLs to access Report Manager, we recommend that you explicitly define the ReportServerUrl element by using the correct host name. For more information, visit the following MSDN Web site:
- Make sure that the certificate trust chain is valid. That is, make sure that the certificate or the issuer of the certificate is trusted.
5.3 Problems occur in the HTTP communication between Report Server and Report ManagerA problem may occur in the HTTP communication between Report Manager and Report Server. When the SSL configuration is invalid, Report Manager can respond to Internet Explorer successfully. However, Report Manager cannot communicate with Report Server. If this issue occurs, Report Manager correctly displays the images on the Report Manager home page. However, Report Manager shows an error in the space where you expect to see folders and report items.
To diagnose these problems, use the .NET Framework tracing. To enable the .NET Framework tracing, add the following code to the Web.config file that is in the Report Manager folder:
<system.diagnostics> <trace autoflush="true" /> <sources> <source name="System.Net" maxdatasize="1024"> <listeners> <add name="MyTraceFile"/> </listeners> </source> <source name="System.Net.Sockets" maxdatasize="1024"> <listeners> <add name="MyTraceFile"/> </listeners> </source> </sources> <sharedListeners> <add name="MyTraceFile" type="System.Diagnostics.TextWriterTraceListener" initializeData="d:\tmp\System.Net.trace.log" /> </sharedListeners> <switches> <add name="System.Net" value="Verbose" /> <add name="System.Net.Sockets" value="Verbose" /> </switches> </system.diagnostics>
Note Depending on the version of Internet Explorer that you are using, the warning can be a pop-up message or a message that appears in Internet Explorer. Or, if you have chosen to ignore warnings before, you may not receive a warning in Internet Explorer.
In Report Manager, you receive the following error message:
Note You may have to perform merging if the Web.config file already contains the <system.diagnostics> element or the <switches> element.
When you receive the same error message, view the log file that you specified in the XML code. In this example, the log file is in the following location:
System.Net Information: 0 :  SecureChannel#63605042 - Remote certificate has errors:System.Net Information: 0 :  SecureChannel#63605042 - Certificate name mismatch.System.Net Information: 0 :  SecureChannel#63605042 - A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.System.Net Information: 0 :  SecureChannel#63605042 - Remote certificate was verified as invalid by the user.System.Net.Sockets Verbose: 0 :  Socket#23836999::Dispose()System.Net Error: 0 :  Exception in the HttpWebRequest#44235609:: - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.System.Net Error: 0 :  Exception in the HttpWebRequest#44235609::EndGetResponse - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.Notice that the error message indicates the kind of certificate problem that occurred.
6 Scale-out and load balanced issues
6.1 You receive an HTTP 401 error intermittentlyThe double hop issue that load balancing introduces may cause intermittent HTTP 401 errors. With load balancing, an HTTP request that is sent to the same computer may be routed to the virtual server and then to a different node. This problem occurs intermittently. If the request is routed to the same node, the request succeeds.
To work around this issue, use one of the following methods:
- Change the Hosts file on each node so that requests that go to the virtual node go to the local host instead. For example, you can redirect requests that are destined for the virtual node to an IP address of 127.0.0.1. This operation prevents double hop by restricting the requests from Report Manager to Report Server to the same computer.
- If you have a native Reporting Services installation, configure the <ReportServerUrl> tag to use "localhost" instead of the virtual server.
7 Windows Vista and Windows Server 2008 issuesIf you are installing Reporting Services in Windows Vista or in Windows Server 2008, review the following Knowledge Base articles and MSDN Web site carefully:
You receive an “IIS is either not installed or not configured for server component installation” error message during setupWhen you try to install Reporting Services on Windows Vista or on Windows Server 2008, you receive the following error message, even if IIS is already installed:
8 Home page redirectionWhen you use IIS, you can use Report Manager as the default home page for the Web server. For example, you may want to redirect requests from the http://<server> URL to the http://<server>/reports URL. For information about how to configure redirection to the Report Manager home page, see the "Redirection to the Report Manager Virtual Directory" section of the following MSDN Web site: Note You cannot configure Report Manager directly at the Web site root level. Instead, you must configure redirection to set Report Manager as the default home page for the Web server.
9 Export issues
9.1 An export time-out occursWhen you export a report from Internet Explorer, the download dialog box remains open until a time-out is reported. This issue may occur when you work with some accounts but not other accounts. This issue may occur when you use the Run As option to start Internet Explorer so that you can run Internet Explorer from an account other than the logon account.
This issue may be caused by an incorrect Internet Explorer configuration, especially if the report is small so that the time-out does not occur because of many data transfers. To resolve this problem, follow these steps:
- In Internet Explorer, click Internet Options on the Tools menu.
- In the Internet Options dialog box, click the Advanced tab, and then locate HTTP 1.1 Settings.
- Click to clear the Use HTTP 1.1 check box and the Use HTTP 1.1 through proxy connections check box.
- Click to select the Use HTTP 1.1 check box and the Use HTTP 1.1 through proxy connections check box.
- Restart Internet Explorer.
10 64-bit issues
10.1 You receive an "Attempted to load a 64-bit assembly on a 32-bit platform" error messageWhen you try to run 32-bit worker processes and 64-bit worker processes side by side in IIS 6.0, you receive the following error message:
10.2 Issues occur when IIS and Reporting Services are in 64-bit mode, but IIS is running is 32-bit modeFor more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
11 IIS and virtual directory configuration issues
11.1 The configuration is invalid for the Report Server virtual directories or for the Report Manager virtual directoriesYou receive one of the following error messages:
Error message 1
- Use IIS Manager to remove the existing virtual directories in IIS.
- Use the Reporting Services Configuration Tool or the Reporting Services WMI provider to create new virtual directories.
12 Deploying Reporting Services and Windows SharePoint Services side by sideFor more information about how to deploy Reporting Services and Windows SharePoint Services side by side, visit the following MSDN Web site:
13 Report Builder issues
13.1 You receive an HTTP 401 error when you start Report BuilderIf Report Server uses Basic authentication, you must configure Anonymous authentication for Report Builder. Report Builder is a ClickOnce application. ClickOnce applications cannot handle Basic authentication. For more information, visit the following MSDN Web site:
14 Web.config file parsing issues
14.1 You receive a System.NullReferenceException error message from the Microsoft.ReportingServices.Diagnostics.WebConfigUtil.GetWebConfigAuthenticationAttr methodThis problem may occur when Reporting Services cannot parse the Web.config file. To resolve this issue, do the following:
- Verify that the Web.config file that is in the following folder does not have a namespace:%ProgramFiles%\Microsoft SQL Server\<Instance Name>\Reporting Services\ReportServerIf the Web.config file has a namespace, remove the namespace.
Note The editor that you used to modify the file can add a namespace. To determine if this has occurred, look for the xmlns attribute on the first line of the file.
- Verify that the <authentication> node contains the mode attribute. If the attribute is not present, add the mode attribute to the <authentication> node. Specify an appropriate attribute value.
For example, if you use Windows Integrated authentication, the authenticate mode is most likely set to “Windows.” For more information about ASP.NET authentication modes, see the following MSDN Web sites:
Article ID: 958998 - Last Review: 02/04/2009 03:18:41 - Revision: 1.2
- kbsql2005rs kbexpertiseadvanced kbsurveynew kbinfo KB958998