Geek Answers Handbook

Report Server Cannot decrypt the symmetric key used to access confidential or encrypted data in the report server database SSRS error

When I try to deploy my SSRS reports on our SQL 2008 R2 server, the following error occurs: "The report server cannot decrypt the symmetric key used to access confidential or encrypted data in the report server database ...". Most solutions on the Internet suggest removing encryption keys and then reconfiguring data sources. I'm still new to SSRS, is there any other solution to fix this problem, thanks

+7
sql-server sql-server-2008 encryption reporting-services ssrs-2008
source share
3 answers

After checking this link, the Microsoft support link seems to be a problem with the information in SSRS reports. And it seems the only way to fix this is to remove the encryption keys.

  • Open Reporting Services configuration tool (Programs-> Microsoft SQL Server 2008 R2 β†’ Configuration Tools β†’ Reporting Services Configuration Manager)
  • Go to Encryption Keys
  • Click "Uninstall."

It solved my problem

+12
source share

I came across this using Microsoft Dynamics CRM 2016 Configuring report extensions after changing the SQL Server Reporting Services account from services.msc. This is because installing a Microsoft Dynamics CRM 2016 report extension requires a non-local service account. https://technet.microsoft.com/en-us/library/hh699754.aspx The key trigger here is probably the root cause discussed in the Haasan question - changing the SQL Server Services service account without supporting the encryption key. Although what he did with the removal of the encryption keys worked, he has flaws in losing this encryption information, and if possible, you should use the steps below to return to the original user of the service account and then change the account services using the steps described below and in the reference article.

The identifier account that starts the instance of Microsoft SQL Server Reporting Services in which Microsoft Reporting Extensions Microsoft Dynamics CRM runs can be a local or virtual account. This is necessary for Microsoft Dynamics CRM reports to work, because the authentication account must be added to the PrivReportingGroup Active Directory security group that is used by Microsoft Dynamics CRM.

The long story here is that when changing the SQL Server Reporting Services account, you need to do this from the SQL Server Report Manager , as you will be asked to back up the symmetric encryption key that Reporting Services SQL Server uses and restores from using the new user of the service account.

The report server service uses a symmetric key to access encrypted data in the report server database. This symmetric key is encrypted using an asymmetric public key that corresponds to the computer and user account that is used to start the report server service. When changing the user account used to start the report server service, the report server cannot use the asymmetric public key to decrypt the symmetric key. Therefore, the report server service cannot use a symmetric key to access data from the report server database.

When you change the service account from SQL Server Reporting Services Report Manager, the following will occur:

Automatically adds a new account to the report server group created on the local computer. This group is specified in access control lists (ACLs) that protect Reporting Services files. Automatically updates login permissions on the instance of SQL Server Database Engine, which is used to host the report server database. A new account will be added to RSExecRole. Logging into the database for the old account will not be deleted automatically. Be sure to delete accounts that are no longer in use. For more information, see Report Server Database Administration (SSRS Native Mode) in SQL Server Books Online. Granting database permissions for the new service account occurs only if you configured the connection of the report server database to use the service account in the first place. If you have configured a report server database connection to use a domain user account or to log on to a SQL Server database, the connection information is not affected by the service account update. Automatically updates the encryption key to include the profile information of the new account.

If, as in my scenario, you know what was the previous user of the service account, the fix is ​​to change the SQL Server Reporting Service account user back to the original account, and then use the SQL Server Reporting Services Report Manager to change account and provide backup of the encryption key, because this process automates the recovery of the encryption key when installing a new user account service.

Links: https://msdn.microsoft.com/en-us/library/ms160340.aspx - setting up the report server service account (SSRS configuration manager)

https://support.microsoft.com/en-us/kb/842421 - an error message appears in the Reporting Services trace log when the Report Server service restarts after changing the user account that is used to start the Report Server service (this is an old article in KB, but the general problem and resolution still applies to new versions of SQL Reporting Services)

+1
source share

Hope this can save some time if key removal is not an option.

I encountered this problem after moving ReportServer and ReportServerTempDB from a production server to another environment that works with Reporting Services. Removing the encryption keys was not possible, and I knew the password used to create the encryption key, so I took a backup of the key from the production server and restored it using the Reporting Services configuration manager in the new environment. The page refreshed and the error disappeared.

0
source share

More articles:


All Articles