You receive an error message in the Reporting Services trace log when you restart the Report Server service after you change the user account that is used to run the Report Server service

Symptoms

On a computer that is running Microsoft SQL Server 2000 Reporting Services, if you change the user account that you use to run the Report Server service, and then you restart the Report Server service, you may notice a behavior that is similar to the following:
  • If you change the user account that is used to run the Report Server Windows service, you may receive an error message that is similar to the following in the Reporting Services trace log:
    ReportingServicesService!crypto!d00!5/18/2004-13:10:54:: i INFO: Initializing 
    crypto as user: DomainName \ UserName
    ReportingServicesService!crypto!d00!5/18/2004-13:10:54:: i INFO: Exporting
    public key
    ReportingServicesService!crypto!d00!5/18/2004-13:10:55:: i INFO: Performing
    sku validation
    ReportingServicesService!crypto!d00!5/18/2004-13:10:55:: i INFO: Importing
    existing encryption key
    ReportingServicesService!library!d00!5/18/2004-13:10:55:: e ERROR: Throwing
    Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException:
    The report server cannot decrypt the symmetric key used to access sensitive or
    encrypted data in a report server database. You must either restore a backup key
    or delete all encrypted content and then restart the service. Check the
    documentation for more information., ; Info:
    Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException:
    The report server cannot decrypt the symmetric key used to access sensitive or
    encrypted data in a report server database. You must either restore a backup
    key or delete all encrypted content and then restart the service. Check the
    documentation for more information. --->
    System.Runtime.InteropServices.COMException (0x80090005): Bad Data.
    at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode,
    IntPtr errorInfo)
    at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob)
    at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
    --- End of inner exception stack trace ---
    ReportingServicesService!library!d00!5/18/2004-13:10:55:: Exception caught
    while starting service. Error:
    Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException:
    The report server cannot decrypt the symmetric key used to access sensitive or
    encrypted data in a report server database. You must either restore a backup
    key or delete all encrypted content and then restart the service. Check the
    documentation for more information. --->
    System.Runtime.InteropServices.COMException (0x80090005): Bad Data.
    at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode,
    IntPtr errorInfo)
    at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob)
    at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
    --- End of inner exception stack trace ---
    at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
    at Microsoft.ReportingServices.Library.ConnectionManager.ConnectStorage()
    at Microsoft.ReportingServices.Library.ConnectionManager.VerifyConnection()
    at Microsoft.ReportingServices.Library.ServiceController.ServiceStartThread()
    ReportingServicesService!library!d00!5/18/2004-13:10:55:: Attempting to start
    service again...
    Note By default, the Report Server Windows service trace log is recorded in the InstallationDrive:\Program Files\Microsoft SQL Server\InstanceOfSQLServer\Reporting Services\LogFiles\ReportServerService_TimeStamp.log file.
  • If you change the user account that is used to run the Report Server Web service, you may receive an error message that is similar to the following in the Reporting Services trace log:
    aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Initializing crypto as 
    user: UserName
    aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Exporting public key
    aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Performing sku validation
    aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Importing existing encryption
    key
    aspnet_wp!library!c84!5/21/2004-05:26:15:: e ERROR:
    Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException:
    The report server cannot decrypt the symmetric key used to access sensitive
    or encrypted data in a report server database. You must either restore a
    backup key or delete all encrypted content and then restart the service.
    Check the documentation for more information., ;
    Info: Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException:
    The report server cannot decrypt the symmetric key used to access sensitive or
    encrypted data in a report server database. You must either restore a backup
    key or delete all encrypted content and then restart the service. Check the
    documentation for more information. --->
    System.Runtime.InteropServices.COMException (0x80090005): Bad Data.
    at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode,
    IntPtr errorInfo)
    at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob)
    at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
    --- End of inner exception stack trace ---
    aspnet_wp!webserver!72c!5/21/2004-05:26:25:: i INFO: Reporting Web Server
    stopped
    Note By default, the Report Server Web service trace log is recorded in the InstallationDrive:\Program Files\Microsoft SQL Server\InstanceOfSQLServer\Reporting Services\LogFiles\ReportServer_TimeStamp.log file.

    Additionally, when you start the Report Manager, you may receive an error message that is similar to the following:

    The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service. Check the documentation for more information. (rsReportServerDisabled) Get Online Help
    Bad Data.

Cause

The Report Server service uses the symmetric key to access the encrypted data in a report server database. This symmetric key is encrypted by using an asymmetric public key that corresponds to the computer and the user account that is used to run the Report Server service. When you change the user account that is used to run the Report Server service, the report server cannot use the asymmetric public key to decrypt the symmetric key. Therefore, the Report Server service cannot use the symmetric key to access the data from the report server database.

Resolution

To resolve this problem, you must back up the encrypted keys before you change the user account that is used to run the Report Server Windows service or the Report Server Web service, and then you must apply the keys that were backed up. To do this, on the computer that is running the Reporting Services, follow these steps:
  1. Start the Report Server Windows service and the Report Server Web service by using the user account that the service was running successfully for.
  2. Use the rskeymgmt command-line utility to back up the encryption keys. To do this, run the following command at the command prompt:
    RSKeyMgmt -e -f FileName -p StrongPassword
    Note: Replace FileName and StrongPassword with an appropriate file name and an appropriate password. By default, the rskeymgmt command-line utility is located in the InstallationDrive:\Program Files\Microsoft SQL Server\80\Tools\Binn folder.

    For more information about the rskeymgmt command-line utility, run the following command at the command prompt:
    RSKeyMgmt /?
  3. Use the rskeymgmt command-line utility to remove the reference to the existing keys. To do this, run the following command at the command prompt:
    RSKeyMgmt -r InstallationID
    Note Replace InstallationID with the installation ID that is provided in the InstallationID setting of the RSReportServer.config file. By default, the RSReportServer.config file is stored in the InstallationDrive:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer folder.
  4. Stop Microsoft Internet Information Services (IIS).
  5. Stop the Report Server Windows service.
  6. Change the user account that is used to run the Report Server Windows service or the Report Server Web service to the user account that you want.
  7. Start IIS.
  8. Start the Report Server Windows service.
  9. Use the rskeymgmt command-line utility to apply the encryption keys that were backed up in step 2. To do this, run the following command at the command prompt:
    RSKeyMgmt -a -f FileName -p StrongPassword
    Note Replace FileName and StrongPassword with the file name and the password that you used to back up the symmetric encryption keys in step 1.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References

For more information about Reporting Services trace logs, visit the following Microsoft Developer Network (MSDN) Web site:For more information about the RSReportServer.config configuration file, visit the following Microsoft Web site:
Propriedades

ID do Artigo: 842421 - Última Revisão: 29/10/2008 - Revisão: 1

Comentários