Configuring a Report Server for Secure Sockets Layer (SSL) Connections

You can configure a report server to use Secure Sockets Layer (SSL) connections to ensure that both incoming requests and outbound responses are encrypted prior to transmission. Both software and hardware solutions are used for SSL encryption and decryption. A software-only solution consists of installing a certificate on a front-end server, where the front-end server both decrypts and processes a request. A hardware solution might include a network appliance that offloads SSL encryption and decryption onto a separate device before forwarding an unencrypted request to a front-end server.

You can use either approach with a report server. The steps for configuring an SSL connection to a report server will vary depending on whether you are using SSL certificate or offloading SSL encryption and decryption to a separate device.

For more information about SSL, see Using SSL to Encrypt Confidential Data on the Microsoft TechNet Web site.

Using an SSL Certificate on Report Server

You can install an SSL certificate on the report server computer to decrypt and process requests locally, and then configure the report server to use it. For instructions on how to request, install, and assign a certificate to a Web site, see How to Implement SSL in IIS.

To configure a report server to work with secure connections, you must do the following:

• Use the Reporting Services Configuration tool to detect the certificate, set a connection level for secure connections, and specify the certificate name.
• Edit the RSReportServer.config file to set the UrlRoot configuration setting. Reporting Services uses the UrlRoot configuration setting to construct links in e-mail messages that resolve to reports on a report server. When you deploy a report server on a computer that uses secure connections, you must update the UrlRoot value to specify an HTTPS prefix. You must modify the UrlRoot configuration setting manually; the Reporting Services Configuration tool does not update the setting for you.

To assign a certificate to a report server virtual directory

1. Point to Start, point to Programs, point to Microsoft SQL Server 2005, point to Configuration Tools, and click Reporting Services Configuration.
2. Connect to the report server instance.
3. Click Report Server Virtual Directory.
4. Select the Require Secure Sockets Layer (SSL) connection check box.
5. Select level 3. This option sets SecureConnectionLevel to 3, requiring that all SOAP calls to the report server use an encrypted channel.
6. Enter the name of the certificate. The certificate name must correspond to the name of the computer for which the certificate is issued. If the front-end server is accessed through its network computer name, the certificate name is the NetBIOS name of the computer. If the front-end server is accessed over an Internet connection, the certificate name is the fully qualified domain name of the server (for example, https://www.adventure-works.com/productinfo).
7. Click Apply.

Edit UrlRoot in the RSReportServer.config File

If you are using the report server e-mail delivery extension, you can create subscriptions that included a report URL in the e-mail message. To construct the report URL, the report server uses the UrlRoot configuration setting in the RSReportServer.config file. If the report runs on a report server that is accessed through an SSL connection, you must manually edit the UrlRoot to use the https:// prefix.

If you are using a server certificate, the format of the URL is as follows:

<UrlRoot>https://certificatename/reportservervirtualdirectoryname</UrlRoot>

Where certificatename is the name of the computer for which the certificate is registered, and reportservervirtualdirectoryname is the name of the virtual directory used to access the report server endpoint.

When editing RSReportServer.config, be sure to specify the same values that you entered in the Reporting Services Configuration tool. For example, if you specified the certificate name as https://www.adventure-works.com/productinfo and the report server virtual directory as reportserver, the value for UrlRoot must be https://www.adventure-works.com/productinfo/reportserver.

Using SSL Offloading

If you are using SSL offloading, the procedures for enabling SSL connections on the report server are slightly different. In this case, you must set SecureConnectionLevel to 0. This is the default value. If you are using SQL Server 2005 and the Reporting Services Configuration tool, you can set the value to 0 by not selecting the Require Secure Sockets Layer (SSL) connection check box on the Report Server Virtual Directory page. Otherwise, you must edit the RSReportServer.config file to modify the value.

If you are using SQL Server 2000 Reporting Services with Service Pack 2 (SP2), you configure the SSL offloading device to add the FRONT-END-HTTPS:ON to the header to the HTTP request before sending it to the report server. In response to this request header, the report server will generate embedded URLs that are prefixed with HTTPS. Instructions for configuring SSL offloading for SQL Server 2000 Reporting Services are provided in this topic.

To configure SQL Server 2005 Reporting Services for SSL offloading

1. Configure the device to translate HTTPS requests into HTTP requests, and HTTP responses into HTTPS responses.
2. Configure the report server to use SSL in links using the UrlRoot property in the RSReportServer.config file. If you are using report server e-mail subscriptions, the report server can include a report URL in the e-mail message. The URL is the fully qualified report server URL, constructed using the UrlRoot setting in the RSReportServer.config file. Be sure to include the https:// prefix if the report request goes directly to the report server, bypassing the SSL offloading device that does URL translation.
3. If you have modified the configuration settings in the past, verify that the SecureConnectionLevel is set to 0 in the RSReportServer.config file.

To configure SQL Server 2000 Reporting Services SP2 for SSL offloading

1. Configure the device to preserve the HOST request header.
2. Configure the device to add the FRONT-END-HTTPS:ON to the request header.
3. Configure the device to translate HTTPS requests into HTTP requests, and HTTP responses into HTTPS responses.
4. Configure Report Manager to use the ReportServerVirtualDirectory property in the RSWebApplication.config file. For more information, see Configuring Report Server Virtual Directories.
5. Configure the report server to use SSL in links using the UrlRoot property in the RSReportServer.config file. For details, see the section "Edit UrlRoot in the RSReportServer.config File" in this topic.
6. Configure report server so that it does not attempt to detect a local SSL certificate by setting the SecureConnectionLevel to 0 in the RSReportServer.config file.

SSL Requirements for a Report Server in SharePoint Integrated Mode

If you plan to run an SSL-enabled report server in SharePoint integrated mode, you must configure the SharePoint Web application to also use SSL.

Requiring SSL on the SharePoint Web application is necessary because all report server requests that originate from the application pages in a SharePoint site are sent to a report server through a Reporting Services URL proxy endpoint that runs within the SharePoint Web application. Although the proxy endpoint runs within the SharePoint Web application, it obtains encryption requirements from the report server. The endpoint must use SSL whenever its associated report server requires SSL. By configuring the SharePoint Web application to use SSL, you enable the endpoint to use SSL.

Use the following guidelines to configure the servers for SSL connections:

1. Install and configure certificates on both servers. For more information, see How to implement SSL in IIS.
2. Using IIS Manager, assign ports and select the Require secure channel (SSL) check box on the Web sites used to access the SharePoint Web application and the report server. Be sure to assign a unique port number if the default port, 443, is used by another Web application on the same server.
3. When configuring report server integration in Central Administration, specify the report server URL in this format: https://<SSLCertifcateName>:<SSLport>/reportserver. For more information, see How to: Configure the Report Server Integration Feature in SharePoint Central Administration.

Troubleshooting SSL Connection Issues

The following tips can help you resolve SSL connection errors.

For intranet connections, ensure that the certificate name and UrlRoot match the NetBIOS name of the computer.

If you get a download error when exporting a report, verify that the problem is not cached headers. For more information, see Internet Explorer file downloads over SSL do not work with the cache control headers.

See Also

Tasks

How to: Start Reporting Services Configuration

Concepts

Deployment Modes for Reporting Services
Configuring Authentication for Reporting Services
Configuring Reporting Services Components
RSReportServer Configuration File
Configuring Report Server Virtual Directories

Help and Information

Getting SQL Server 2005 Assistance