Discussion:
Could not establish trust relationship with remote server.
(too old to reply)
vbchewie
2007-09-26 23:48:00 UTC
Permalink
I am trying to setup SQL Server 2000 Reporting services with an SSL
connection. The SQL Server (Windows Server 2003 SP2 Standard) and Reporting
Server (Windows Server 2003 R2 SP2 Standard) are on separate machines. I
have tried setting up Certificates from both and Stand-Alone and Enterprise
CA. I have tried several combinations of the Issue To name (server |
server.company | server.company.local) I have modified the
rsWebApplication.config and rsReportServer.config to match the certificate’s
Issue to exactly. I have tried installs with both Domain Accounts and NT
AUTHORITY\SYSTEM logins. I have managed to get https://server/ReportServer
to work but I have had no luck with the report manager
https://server/reports. How do I fix this error?

Thankyou
Chris Alton [MS]
2007-09-28 15:48:01 UTC
Permalink
The most likely reason this is failing is that your Report Server does not
trust the Root Certificate Authority that created the certificate you are
using.

If you go to https://machine/ReportServer and IE says "this certificate is
not valid are you sure you want to accept it?" then you will know that the
certificate is not 100% trusted and that is why you are receiving the error.

You will need to export the Trusted Root Authority certificate from the
issuing server and import it on the Report Server.
--
SQL Server Developer Support Engineer
Post by vbchewie
I am trying to setup SQL Server 2000 Reporting services with an SSL
connection. The SQL Server (Windows Server 2003 SP2 Standard) and Reporting
Server (Windows Server 2003 R2 SP2 Standard) are on separate machines. I
have tried setting up Certificates from both and Stand-Alone and Enterprise
CA. I have tried several combinations of the Issue To name (server |
server.company | server.company.local) I have modified the
rsWebApplication.config and rsReportServer.config to match the certificate’s
Issue to exactly. I have tried installs with both Domain Accounts and NT
AUTHORITY\SYSTEM logins. I have managed to get https://server/ReportServer
to work but I have had no luck with the report manager
https://server/reports. How do I fix this error?
Thankyou
vbchewie
2007-10-01 16:19:04 UTC
Permalink
I went to the stand alone root certificate authority and exported the
certificate for that server. I then imported it into both the SQL Server and
Reporting Server. Now when I type the FQDN
(https://machine.domain.local/Reports ) I no longer get a certificate error,
but I do still get “The underlying connection was closed: Could not establish
trust relationship with remote server.”

Is there something else I can do? Does it have to be an Enterprise Root
Certificate Authority in order to work?

Thank You.
Post by Chris Alton [MS]
The most likely reason this is failing is that your Report Server does not
trust the Root Certificate Authority that created the certificate you are
using.
If you go to https://machine/ReportServer and IE says "this certificate is
not valid are you sure you want to accept it?" then you will know that the
certificate is not 100% trusted and that is why you are receiving the error.
You will need to export the Trusted Root Authority certificate from the
issuing server and import it on the Report Server.
--
SQL Server Developer Support Engineer
Post by vbchewie
I am trying to setup SQL Server 2000 Reporting services with an SSL
connection. The SQL Server (Windows Server 2003 SP2 Standard) and Reporting
Server (Windows Server 2003 R2 SP2 Standard) are on separate machines. I
have tried setting up Certificates from both and Stand-Alone and Enterprise
CA. I have tried several combinations of the Issue To name (server |
server.company | server.company.local) I have modified the
rsWebApplication.config and rsReportServer.config to match the certificate’s
Issue to exactly. I have tried installs with both Domain Accounts and NT
AUTHORITY\SYSTEM logins. I have managed to get https://server/ReportServer
to work but I have had no luck with the report manager
https://server/reports. How do I fix this error?
Thankyou
Chris Alton [MSFT]
2007-10-01 22:14:56 UTC
Permalink
You also need to make sure that the SSL certificate you are using matches
the machine name you are accessing it by EXACTLY. You will also need to
make sure that in the Reporting Services configuration tool that you have
checked the "Require Secure Socket Layer (SSL) Connections" and put the
same name you are accessing the server by in the "Certificate Name" field.

So in your example you would put "machine.domain.local" in the Certificate
Field and the certificate should be issued to "machine.domain.local".

The easiest way to tell if the certificate is valid is to open up
https://machine.domain.local/ReportServer from the web server and if IE
complains about the certificate at all then it will not work.

-------------------------------------
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.
vbchewie
2007-10-01 23:47:02 UTC
Permalink
In RSReportServer.config I have my "SecureConnectionLevel" Value="3" and my
<UrlRoot>https://machine.domain.local/ReportServer</UrlRoot>
in RSWebApplication.config
I have
<ReportServerUrl>https://machine.domain.local/ReportServer</ReportServerUrl>

When I go to IIS on the Reporting Server and right click on Default Web Site
Properties > Directory Security.
And click on 'View Certificate...' it says Issued to: machine.domain.local I
also checked the friendly name it also has machine.domain.local.
When I click 'Edit...' under 'Secure communications' both Require secure
channel(SSL) and Require 128-bit encryption are checked.
When I click 'Edit...' Under 'Authentication and access control' Enable
anonymous access is unchecked.
The same is true for my Virtual Directories 'Reports' and ReportServer'

When I go to https://machine/domain.local/Reports there are no certificate
errors. It goes straight though to a page that says
"The underlying connection was closed: Could not establish trust
relationship with remote server."

You mentioned Reporting Services Configuration Tool. This is Reporting
Services for SQL Server 2000. Is there a Reporting Services Configuration
Tool for this version? I thought that was for 2005.

I’m not sure what I am missing. Any other ideas?

Thank you
You also need to make sure that the SSL certificate you are using matches
the machine name you are accessing it by EXACTLY. You will also need to
make sure that in the Reporting Services configuration tool that you have
checked the "Require Secure Socket Layer (SSL) Connections" and put the
same name you are accessing the server by in the "Certificate Name" field.
So in your example you would put "machine.domain.local" in the Certificate
Field and the certificate should be issued to "machine.domain.local".
The easiest way to tell if the certificate is valid is to open up
https://machine.domain.local/ReportServer from the web server and if IE
complains about the certificate at all then it will not work.
-------------------------------------
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.
Chris Alton [MSFT]
2007-10-02 13:12:13 UTC
Permalink
I didn't know you were using SQL 2000. The only thing I can think of is
that you need to install the Root CA Certificate in the Certificate Store
of the Machine account. What account do you have the SRS Windows Service
and the IIS Application Pool running under?

If it is LocalSystem or Network Service you can install the certificate by
following these steps:

a. Click Start->Run
b. Type mmc and hit enter.
c. Click File->Add/Remove Snap-in
d. Click the "Add" button.
e. Select "Certificates" from the list
f. Click the "Add" button.
g. Click the "Computer Account" radio button.
h. Click "Next"
i. Make sure "Local Computer" is selected and click "Finish"
j. Click "Close"
k. Click "Ok"
l. Branch down on Certificates.
m. Right click Trusted Root Certification Authorities->All
Tasks->Import...
n. Click "Next" and browse to the certificate you are importing.
o. Click "Next" and make sure the "Place all certificates in the
following store" is selected and "Trusted Root Certification Authorities"
is listed in the "Certificate Store" box. If not browse to it by clicking
the "Browse" button.
p. Click "Next" and then click "Finish"
q. The Trusted Root Authority Certificate should now be imported and
available to web application/service.

Hopefully that should get it now.
-------------------------------------
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.
vbchewie
2007-10-02 21:18:01 UTC
Permalink
It works!!!
SRS is running under a domain\account. In order to get Kerberos to function
properly I used setspn to allow the domain\account to use the http service.
So I am not running under LocalSystem or Network Service.
I logged into the computer with the domain\account that is running both the
SRS Service and the ReportingServices Application Pool. I followed your
directions exactly with only one variation. Instead of picking "Computer
Account" at g. I chose "My Account". It looks like it is working now.

To recap for anyone else that runs into this issue:
SQL Server 2000 is on machine1
SharePoint and Reporting Services are on machine2 and are running under a
domain\account (very limited rights).
SSL Certificate was issued from a Stand-Alone Root Certificate Authority.

Thank you very much for your help,
Post by Chris Alton [MSFT]
I didn't know you were using SQL 2000. The only thing I can think of is
that you need to install the Root CA Certificate in the Certificate Store
of the Machine account. What account do you have the SRS Windows Service
and the IIS Application Pool running under?
If it is LocalSystem or Network Service you can install the certificate by
a. Click Start->Run
b. Type mmc and hit enter.
c. Click File->Add/Remove Snap-in
d. Click the "Add" button.
e. Select "Certificates" from the list
f. Click the "Add" button.
g. Click the "Computer Account" radio button.
h. Click "Next"
i. Make sure "Local Computer" is selected and click "Finish"
j. Click "Close"
k. Click "Ok"
l. Branch down on Certificates.
m. Right click Trusted Root Certification Authorities->All
Tasks->Import...
n. Click "Next" and browse to the certificate you are importing.
o. Click "Next" and make sure the "Place all certificates in the
following store" is selected and "Trusted Root Certification Authorities"
is listed in the "Certificate Store" box. If not browse to it by clicking
the "Browse" button.
p. Click "Next" and then click "Finish"
q. The Trusted Root Authority Certificate should now be imported and
available to web application/service.
Hopefully that should get it now.
-------------------------------------
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.
Chris Alton [MSFT]
2007-10-04 13:15:24 UTC
Permalink
If the Windows Service and Application Pool all run under a domain account
then you really don't have to go through all those convoluted steps to
import the cert. That is only if you are using LocalSystem/Network Service
since those are considered the "Machine" account.

If you can log on to the account in an interactive session all you really
have to do to import the certificate is logon and then double click the
cer file and follow the prompts :)

Glad its working for you now though, those SSL issues with SRS can be quite
complicated sometimes.
-------------------------------------
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
Thread-Topic: Could not establish trust relationship with remote server.
Subject: RE: Could not establish trust relationship with remote server.
Date: Tue, 2 Oct 2007 14:18:01 -0700
It works!!!
SRS is running under a domain\account. In order to get Kerberos to function
properly I used setspn to allow the domain\account to use the http service.
So I am not running under LocalSystem or Network Service.
I logged into the computer with the domain\account that is running both the
SRS Service and the ReportingServices Application Pool. I followed your
directions exactly with only one variation. Instead of picking "Computer
Account" at g. I chose "My Account". It looks like it is working now.
SQL Server 2000 is on machine1
SharePoint and Reporting Services are on machine2 and are running under a
domain\account (very limited rights).
SSL Certificate was issued from a Stand-Alone Root Certificate Authority.
Thank you very much for your help,
Post by Chris Alton [MSFT]
I didn't know you were using SQL 2000. The only thing I can think of is
that you need to install the Root CA Certificate in the Certificate Store
of the Machine account. What account do you have the SRS Windows Service
and the IIS Application Pool running under?
If it is LocalSystem or Network Service you can install the certificate by
a. Click Start->Run
b. Type mmc and hit enter.
c. Click File->Add/Remove Snap-in
d. Click the "Add" button.
e. Select "Certificates" from the list
f. Click the "Add" button.
g. Click the "Computer Account" radio button.
h. Click "Next"
i. Make sure "Local Computer" is selected and click "Finish"
j. Click "Close"
k. Click "Ok"
l. Branch down on Certificates.
m. Right click Trusted Root Certification Authorities->All
Tasks->Import...
n. Click "Next" and browse to the certificate you are importing.
o. Click "Next" and make sure the "Place all certificates in the
following store" is selected and "Trusted Root Certification
Authorities"
Post by Chris Alton [MSFT]
is listed in the "Certificate Store" box. If not browse to it by clicking
the "Browse" button.
p. Click "Next" and then click "Finish"
q. The Trusted Root Authority Certificate should now be imported and
available to web application/service.
Hopefully that should get it now.
-------------------------------------
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.
John
2011-10-15 04:46:27 UTC
Permalink
I had the same problem, and followed instruction here, it didn't work. Any other suggestions? Thanks
Post by vbchewie
I am trying to setup SQL Server 2000 Reporting services with an SSL
connection. The SQL Server (Windows Server 2003 SP2 Standard) and Reporting
Server (Windows Server 2003 R2 SP2 Standard) are on separate machines. I
have tried setting up Certificates from both and Stand-Alone and Enterprise
CA. I have tried several combinations of the Issue To name (server |
server.company | server.company.local) I have modified the
rsWebApplication.config and rsReportServer.config to match the certificate’s
Issue to exactly. I have tried installs with both Domain Accounts and NT
AUTHORITY\SYSTEM logins. I have managed to get https://server/ReportServer
to work but I have had no luck with the report manager
https://server/reports. How do I fix this error?
Thankyou
Post by Chris Alton [MS]
The most likely reason this is failing is that your Report Server does not
trust the Root Certificate Authority that created the certificate you are
using.
If you go to https://machine/ReportServer and IE says "this certificate is
not valid are you sure you want to accept it?" then you will know that the
certificate is not 100% trusted and that is why you are receiving the error.
You will need to export the Trusted Root Authority certificate from the
issuing server and import it on the Report Server.
--
SQL Server Developer Support Engineer
Post by vbchewie
I went to the stand alone root certificate authority and exported the
certificate for that server. I then imported it into both the SQL Server and
Reporting Server. Now when I type the FQDN
(https://machine.domain.local/Reports ) I no longer get a certificate error,
but I do still get “The underlying connection was closed: Could not establish
trust relationship with remote server.”
Is there something else I can do? Does it have to be an Enterprise Root
Certificate Authority in order to work?
Thank You.
Post by Chris Alton [MSFT]
You also need to make sure that the SSL certificate you are using matches
the machine name you are accessing it by EXACTLY. You will also need to
make sure that in the Reporting Services configuration tool that you have
checked the "Require Secure Socket Layer (SSL) Connections" and put the
same name you are accessing the server by in the "Certificate Name" field.
So in your example you would put "machine.domain.local" in the Certificate
Field and the certificate should be issued to "machine.domain.local".
The easiest way to tell if the certificate is valid is to open up
https://machine.domain.local/ReportServer from the web server and if IE
complains about the certificate at all then it will not work.
-------------------------------------
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by vbchewie
In RSReportServer.config I have my "SecureConnectionLevel" Value="3" and my
<UrlRoot>https://machine.domain.local/ReportServer</UrlRoot>
in RSWebApplication.config
I have
<ReportServerUrl>https://machine.domain.local/ReportServer</ReportServerUrl>
When I go to IIS on the Reporting Server and right click on Default Web Site
And click on 'View Certificate...' it says Issued to: machine.domain.local I
also checked the friendly name it also has machine.domain.local.
When I click 'Edit...' under 'Secure communications' both Require secure
channel(SSL) and Require 128-bit encryption are checked.
When I click 'Edit...' Under 'Authentication and access control' Enable
anonymous access is unchecked.
The same is true for my Virtual Directories 'Reports' and ReportServer'
When I go to https://machine/domain.local/Reports there are no certificate
errors. It goes straight though to a page that says
"The underlying connection was closed: Could not establish trust
relationship with remote server."
You mentioned Reporting Services Configuration Tool. This is Reporting
Services for SQL Server 2000. Is there a Reporting Services Configuration
Tool for this version? I thought that was for 2005.
I’m not sure what I am missing. Any other ideas?
Thank you
Post by Chris Alton [MSFT]
I didn't know you were using SQL 2000. The only thing I can think of is
that you need to install the Root CA Certificate in the Certificate Store
of the Machine account. What account do you have the SRS Windows Service
and the IIS Application Pool running under?
If it is LocalSystem or Network Service you can install the certificate by
a. Click Start->Run
b. Type mmc and hit enter.
c. Click File->Add/Remove Snap-in
d. Click the "Add" button.
e. Select "Certificates" from the list
f. Click the "Add" button.
g. Click the "Computer Account" radio button.
h. Click "Next"
i. Make sure "Local Computer" is selected and click "Finish"
j. Click "Close"
k. Click "Ok"
l. Branch down on Certificates.
m. Right click Trusted Root Certification Authorities->All
Tasks->Import...
n. Click "Next" and browse to the certificate you are importing.
o. Click "Next" and make sure the "Place all certificates in the
following store" is selected and "Trusted Root Certification Authorities"
is listed in the "Certificate Store" box. If not browse to it by clicking
the "Browse" button.
p. Click "Next" and then click "Finish"
q. The Trusted Root Authority Certificate should now be imported and
available to web application/service.
Hopefully that should get it now.
-------------------------------------
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.
Post by vbchewie
It works!!!
SRS is running under a domain\account. In order to get Kerberos to function
properly I used setspn to allow the domain\account to use the http service.
So I am not running under LocalSystem or Network Service.
I logged into the computer with the domain\account that is running both the
SRS Service and the ReportingServices Application Pool. I followed your
directions exactly with only one variation. Instead of picking "Computer
Account" at g. I chose "My Account". It looks like it is working now.
SQL Server 2000 is on machine1
SharePoint and Reporting Services are on machine2 and are running under a
domain\account (very limited rights).
SSL Certificate was issued from a Stand-Alone Root Certificate Authority.
Thank you very much for your help,
Post by Chris Alton [MSFT]
If the Windows Service and Application Pool all run under a domain account
then you really don't have to go through all those convoluted steps to
import the cert. That is only if you are using LocalSystem/Network Service
since those are considered the "Machine" account.
If you can log on to the account in an interactive session all you really
have to do to import the certificate is logon and then double click the
cer file and follow the prompts :)
Glad its working for you now though, those SSL issues with SRS can be quite
complicated sometimes.
-------------------------------------
Chris Alton, Microsoft Corp.
SQL Server Developer Support Engineer
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
function
service.
the
Store
Service
by
Authorities"
clicking
and
rights.
Continue reading on narkive:
Loading...