SSRS SharePoint Integrated and publish through TMG Problem RRS feed

  • Question

  • Hi,


     I am having problems accessing a report after publshing through TMG. I've configured my SharePoint and Reporting Services environment using Kerberos based on the instructions in regards to What every admin needs to know about AAM - http://sharepoint.microsoft.com/blog/Lists/Posts/Post.aspx?List=72c1c85b-1d2d-4a4a-90de-ca74a7808184&ID=804&Web=fb61b44c-8862-4e1d-875b-898c0ed5f1fc. I have 3 servers - one central admin with Web front end, 1 sql ssrs with sharepoint, and one sql db on the back end.


    so my AAM setting is as follows based on the AAM article.

    default zone: http://sp-internal.dev.com, internet zone: http://sp-external.dev.com (extended zone), internet zone: https://outside.test.com (maps to the extended zone)


    I've been able to hit my report and configure reports in Sharepoint using Kerberos. I can access a report using my default zone web application URL but when i access the report through TMG - I get the message "An unexpected error occurred while connecting to the report server. Verify that the report server is available and configured for SharePoint integrated mode." Also when i look at the TMG logs to access the report, it is looking for the relative url while browsing in sharePoint. But after clicking on the report, the report tries to browse to the external url instead of the extended url.

    I have TMG doing Kerberos Contrained Delegation and it works great for SharePoint content. Does anyone have any idea as to whether this scenario will work?

    I've also allowed the Web app pool's account delegation to the sql db and the ssrs spn.

    Also, if i just extend the default zone to an intranet zone using a different url, the report works fine as well. It's only through TMG using the AAM transition where it fails.

    Thank you.

    • Moved by Mike Walsh FIN Monday, March 28, 2011 5:44 PM SSRS questions go to the BI forum. You should also ONCE spell out TMG so everyone knows you are talking about Forefront. (From:SharePoint - General Question and Answers and Discussion (pre-SharePoint 2010))
    Monday, March 28, 2011 5:38 PM

All replies

  • Hi trung,


    How did you configure the Service Principle Name(SPN) for SQL and SharePoint and Reporting Services?


    Please check if you use HTTPS in your SPN? If so, you do not need to change any of the SPNs created when configuring Reporting Services with HTTP in the previous steps. The SPN for an HTTP service over SSL remains HTTP/<service>.


    In addition, Forefront TMG support the following SSL bridging scenarios:


    HTTPS-to-HTTPS bridging—A request arriving on an SSL connection is forwarded over an SSL connection. In this scenario, the client sends an encrypted request. Forefront TMG decrypts the request, encrypts it again, and forwards it to the Web server. The Web server returns the encrypted object to the Forefront TMG computer. Forefront TMG decrypts the object, encrypts it again, and sends it to the client.


    HTTPS-to-HTTP bridging—A request arriving on an SSL connection is forwarded as an unencrypted request. In this scenario, the client sends an encrypted request. Forefront TMG decrypts the request and forwards it to the Web server. The Web server returns the HTTP object to the Forefront TMG computer. Forefront TMG encrypts the object and sends it to the client.


    Make sure the settings above is corresponding to Alternative Address Mapping (AAM) setting. For example, forwarding https requests to http and the AAM should be configured as http, or vice versa.


    For more information about SSL bridging and publishing, please refer to the following article:





    Rock Wang

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com

    Regards, Rock Wang Microsoft Online Community Support
    Tuesday, March 29, 2011 8:47 AM
  • hi rock,


     I configured my spn as follows for netbios and fqdn - setspn -S http/(reporting service server) (domain)\(reporting service service).

    I also have my rule bridging from 443 to port 80 as per the AAM guide. Now, I just tested this on a Sharepoint 2010 farm with SSRS 2008 R2 add in as well because I read that there is support for multizones. The previous question that I had, it was a SharePoint 2007 farm (with the SSRS 2008 SP2 add-in) and that still isn't working. In the Sharepoint 2010 farm however, I know get an error of a failed connection attempt on the Threat Management Gateway (TMG) to the extended sharepoint site.

    The request that is denied is a "GET http://sp2010-external.domain.com/site/_layouts/Reportserver/RSViewerPages.aspx?rv:relativereporturl:/site/reports/report1.rdl&source=https%3A%2Fexternal%external%2E.com%2FSites...&DefaultItemOpen=1.


    So it looks like it's having issues going from the external name which is https://external.external.com to the extended site: http://sp2010-external.domain.com?


    Again, the internal site works fine but the external site now says "For more information about this error navigate to the report server on the local machine, or enable remote errors."


    Has the SharePoint or sql team tried SSRS (2008 sp2 or 2008r2) based on the AAM and TMG configuration that I mentioned above? Thanks.





    Wednesday, March 30, 2011 2:08 PM
  • Hi trung, I have the same issue, please let me know if you solved it.
    Friday, June 8, 2012 8:24 PM
  • Hi JakeOba, have you been able to resolve the issue?
    Thursday, June 14, 2012 3:16 PM
  • not yet :(
    Monday, June 18, 2012 8:16 AM