Configure Reporting Services to use a Subject Alternative Name (SAN)
Applies to: ✅ SQL Server 2016 (13.x) Reporting Services and later ✅ Power BI Report Server
This article explains how to configure Reporting Services (SSRS) and Power BI Report Server to use a Subject Alternative Name (SAN), by modifying the rsreportserver.config file and using the Netsh.exe tool.
The instructions apply to the Web Service URL and the Web Portal URL in the Report Server Configuration Manager tool.
To use a SAN, the TLS/SSL certificate must be registered on the server, signed, and have the private key. You can't use a self-signed certificate.
URLs in Reporting Services and Power BI Report Server can be configured to use a TLS/SSL certificate. A certificate normally has just a subject name, which allows only one URL for a Transport Layer Security (TLS), previously known as Secure Sockets Layer (SSL), session. The SAN is another field in the certificate that allows a TLS service to listen for many URLs, and to share the TLS port with other applications. For example, a SAN could look something like www.myreports.com
.
For more information about TLS settings for Reporting Services, see Configure TLS Connections on a Native Mode Report Server.
Configure to use a Subject Alternative Name for Web Service URL
Start Report Server Configuration Manager.
For more information, see Report Server Configuration Manager (Native Mode).
On the Web Service URL page, select a TLS/SSL port and TLS/SSL Certificate.
The configuration manager registers the TLS/SSL certificate for the port.
Open the rsreportserver.config file.
For SSRS 2016 Native mode, the file is located by default in the following folder:
\Program Files\Microsoft SQL Server\MSRS13.MSSQLSERVER\Reporting Services\ReportServer
For SSRS 2017 and later, the file is located by default in the following folder:
\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer
For Power BI Report Server, the file is located by default in the following folder:
\Program Files\Microsoft Power BI Report Server\PBIRS\ReportServer
Copy the URL section for the ReportServerWebService application.
For example, the following original URL section is:
<URL> <UrlString>https://+:443</UrlString> <AccountSid>S-1-5-80-2885764129-887777008-271615777-1616004480-2722851051</AccountSid> <AccountName>NT Service\ReportServer</AccountName> </URL>
The following modified URL section is:
<URL> <UrlString>https://+:443</UrlString> <AccountSid>S-1-5-80-2885764129-887777008-271615777-1616004480-2722851051</AccountSid> <AccountName>NT Service\ReportServer</AccountName> </URL> <URL> <UrlString>https://www.myreports.com:443</UrlString> <AccountSid>S-1-5-80-2885764129-887777008-271615777-1616004480-2722851051/AccountSid> <AccountName>NT Service\ReportServer</AccountName> </URL>
Tip
- For SSRS 2017 and later, the
AccountSid
value isS-1-5-80-4050220999-2730734961-1537482082-519850261-379003301
and theAccountName
value isNT SERVICE\SQLServerReportingServices
. - For Power BI Report Server, the
AccountSid
value isS-1-5-80-1730998386-2757299892-37364343-1607169425-3512908663
and theAccountName
value isNT SERVICE\PowerBIReportServer
.
- For SSRS 2017 and later, the
Repeat this process for the ReportServerWebApp URL section.
Save the rsreportserver.config file.
Start a command prompt using Run as Administrator.
Show the existing urlacls by entering the following example:
Netsh http show urlacl
An entry such as the following example appears.
Reserved URL : https://+:443/ReportServer/ User: NT SERVICE\ReportServer Listen: Yes Delegate: No SDDL: D:(A;;GX;;;S-1-5-80-2885764129-887777008-271615777-1616004480-2722851051)
An urlacl is a DACL (Discretionary Access Control List) for a reserved URL.
Create a new entry for the Subject Alternative Name, with the same user and SDDL as the existing entry, by entering the following example:
netsh http add urlacl url=https://www.myreports.com:443/ReportServer user="NT Service\ReportServer" sddl=D:(A;;GX;;;S-1-5-80-2885764129-887777008-271615777-1616004480-2722851051)
Tip
If you copy the code to Notepad to edit, rather than entering it manually, remove the CRLF before pasting the code into the command prompt.
For the Web Portal URL, create a new entry for the Subject Alternative Name by entering the following:
netsh http add urlacl url=https://www.myreports.com:443/Reports user="NT Service\ReportServer" sddl=D:(A;;GX;;;S-1-5-80-2885764129-887777008-271615777-1616004480-2722851051)
Tip
- For SSRS 2017 and later, the
user
value isNT SERVICE\SQLServerReportingServices
and thesddl
value isD:(A;;GX;;;S-1-5-80-4050220999-2730734961-1537482082-519850261-379003301)
. - For Power BI Report Server, the
user
value isNT SERVICE\PowerBIReportServer
and thesddl
value isS-1-5-80-1730998386-2757299892-37364343-1607169425-3512908663
Note
For Power BI Report Server, you need to create two additional entries for the Subject Alternative Name by entering the following:
add urlacl url=https://www.myreports.com:443/PowerBI user="NT SERVICE\PowerBIReportServer" sddl=D:(A;;GX;;;S-1-5-80-1730998386-2757299892-37364343-1607169425-3512908663)
add urlacl url=https://www.myreports.com:443/wopi user="NT SERVICE\PowerBIReportServer" sddl=D:(A;;GX;;;S-1-5-80-1730998386-2757299892-37364343-1607169425-3512908663)
- For SSRS 2017 and later, the
On the Report Server Status page of the Report Server Configuration Manager, select Stop and then choose Start to restart the report server.
Related content
RsReportServer.config configuration file
Report Server Configuration Manager
Modify a Reporting Services configuration file
Configure report server URLs
More questions? Try asking the Reporting Services forum
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for