none
DPM 1801 Install Fails: SSRS Certificate Invalid? RRS feed

  • Question

  • I'm trying to install DPM 1801 with a remote SQL server. However, during the install I get the following error:

    [12/11/2018 11:59:33 AM] * Exception :  => Report configuration failed.Verify that SQL Server Reporting Services is installed properly and that it is running.Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.BackEndErrorException: exception ---> Microsoft.Internal.EnterpriseStorage.Dls.Setup.Exceptions.ReportDeploymentException: exception ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

    I have issued a trusted certificate to the SSRS server from our Enterprise CA with the full domain name as the common name, with the NETBIOS name and IP address as SANs. Everything online I was able to find said to do that, or a self signed certificate and import it on the DPM server. I prefer the former. Most of the documentation references the 2012 R2 version and says that it is trying to connect to SSRS using the IP. They include parts of their log that indicate that. I do not see anywhere in my install log that it is trying the IP address. In fact earlier on, it does the prereq check and says SSRS is fine:

    [12/11/2018 11:59:04 AM] Data : checkId = SqlReportServerService
    [12/11/2018 11:59:04 AM] Information : Running the check: SqlReportServerService
    [12/11/2018 11:59:04 AM] Information : Getting the check for the checkId : SqlReportServerService
    [12/11/2018 11:59:04 AM] Information : Reading the registry key Software\Microsoft\Microsoft Data Protection Manager\Setup\SqlReportServerService.
    [12/11/2018 11:59:04 AM] Information : Registry Key Software\Microsoft\Microsoft Data Protection Manager\Setup\SqlReportServerService is absent.
    [12/11/2018 11:59:04 AM] Information : Calling the method: CheckReportingServicesConfig
    [12/11/2018 11:59:04 AM] Information : Check SQL Server 2008 Reporting Services report server service configuration.
    [12/11/2018 11:59:04 AM] Information : Querying WMI Namespace: \\***\root\cimv2 for query: SELECT * FROM Win32_Service WHERE Name='ReportServer'
    [12/11/2018 11:59:04 AM] Data : Credentials of the service = ***
    [12/11/2018 11:59:04 AM] Information : Report Server service configuration is correct.
    [12/11/2018 11:59:04 AM] Information : Adding the check result entry for checkId: SqlReportServerService and result: 0
    [12/11/2018 11:59:04 AM] Information : Got Error Message: Check Succeeded

    I can connect to the reporting services URL on HTTPS using the FQDN, but if I try with the IP or NETBIOS name in a browser I get a "Bad Host Name" error. I'm not sure if that is by design or causing the problem. I need it to work with FQDN, but don't know how to add the additional options if that is allowed.

    Any help would be appreciated, thanks!

    Tuesday, December 11, 2018 8:21 PM

Answers

  • It does indeed seem that the port of the Reporting Services for DPM cannot be changed, I couldn't find anything official about it but it would probably be stated if it was supported, as it is with the SQL Server port:

    "The default instance of the database engine listens on TCP port 1443. This setting can be changed. To use the SQL Server Browser service to connect to instances that don’t listen on the default 1433 port, you’ll need UDP port 1434."

    I would interpret the following as to it cannot be changed:

    "Configure an incoming exception for sqlservr.exe for the DPM instance of SQL Server to allow TCP on port 80. The report server listens for HTTP requests on port 80."


    Reference
    https://docs.microsoft.com/en-us/system-center/dpm/configure-firewall-settings-for-dpm?view=sc-dpm-1801#BKMK_SQL


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Proposed as answer by Leon Laude Thursday, January 17, 2019 9:59 AM
    • Marked as answer by John Lore Thursday, January 17, 2019 1:18 PM
    Wednesday, January 16, 2019 10:14 AM

All replies

  • Hello John!

    Could you elaborate on the following?

    I have issued a trusted certificate to the SSRS server from our Enterprise CA with the full domain name as the common name, with the NETBIOS name and IP address as SANs.

    Have you done the following?

    • Installed and created a Reporting Services database on your remote SQL server.
    • Configured within the settings under the Web Services URL tab in the Reporting Services Configuration Manager

    Also what version of SQL Server / SQL Reporting Services are you using?

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Tuesday, December 11, 2018 9:16 PM
  • Originally the Reporting Server was set up with the default self signed cert. I requested a new cert from our CA and added that to the screen above so it would be trusted by all machines on our domain.

    Yes, a reporting database is running. It is working fine for MBAM and SCCM.

    Yes, this page is configured with the certificate issued by the CA. Reporting services SSL is running on port 8443. I'm not sure if I have to tell the DPM install that it is running on a non standard port, but I don't know where to put that in the unattended DPMSetup.ini file.

    Wednesday, December 12, 2018 1:11 PM
  • Yeah not sure if you can set the port in the DPMSetup.ini file.

    One way to work this out would be to install DPM while the Reporting Server is still using the default settings, once DPM is installed you can change the port and use a certificate from your CA.


    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, December 13, 2018 2:19 PM
  • Thanks for the advice. I temporarily bound SSRS to 80 and 443 and was able to get DPM to install. After moving it back to the non-standard ports, where will I change that on the DPM server?
    Friday, December 14, 2018 2:25 PM
  • The System Center products will usually try to connect to the web service link provided by Reporting Service and work on that. 

    You will need to install the certificate and add it to trusted store and then configure reporting service to listening on HTTPs 443 port from the Reporting Services Configuration Manager.

    After you've created the HTTPS link successfully, try opening the HTTPS web service link both remotely or locally from a browser. If you can open it there without any error, reporting service is working fine.

    I stumbled upon this post as well:

    https://social.msdn.microsoft.com/Forums/sqlserver/en-US/7b0ccf1b-673e-4844-990f-1608e32f98f6/dpm-2012-setup-to-remote-sql-2012-ssl-cert-error?forum=sqlreportingservices

    It seems that DPM uses the IP address to access the Reporting Services instance and not the NETBIOS name..


    Blog: https://thesystemcenterblog.com LinkedIn:

    Friday, December 14, 2018 2:53 PM
  • Hi John,

    Just checking to see if you have any update?

    Best regards,
    Leon


    Blog: https://thesystemcenterblog.com LinkedIn:

    Wednesday, December 19, 2018 2:16 PM
  • Sorry, I haven't had a change to check it. I have other web services running on the SSRS box that need to be on 443, so I switched everything back to the way it was pre-DPM install. I haven't had a chance to see if I can reconfigure DPM to connect to SSRS on 8443. I have been trying to get things wrapped up to go on leave. I will check it out next week when back in the office. Thanks for the recommendations.
    Wednesday, December 19, 2018 3:07 PM
  • So, it didn't work and now I think I'm in a really bad state...

    I changed SSRS to listen on 443 and disabled the other service running on 443 to get DPM installed. DPM installed without any issues.

    I put SSRS back on 8443 and restarted the other service. Both the other service and SSRS are working on the correct ports.

    DPM console says it is unable to connect to SSRS. I can't find any way to designate the SSRS port on the DPM server.

    Tuesday, January 15, 2019 6:19 PM
  • It does indeed seem that the port of the Reporting Services for DPM cannot be changed, I couldn't find anything official about it but it would probably be stated if it was supported, as it is with the SQL Server port:

    "The default instance of the database engine listens on TCP port 1443. This setting can be changed. To use the SQL Server Browser service to connect to instances that don’t listen on the default 1433 port, you’ll need UDP port 1434."

    I would interpret the following as to it cannot be changed:

    "Configure an incoming exception for sqlservr.exe for the DPM instance of SQL Server to allow TCP on port 80. The report server listens for HTTP requests on port 80."


    Reference
    https://docs.microsoft.com/en-us/system-center/dpm/configure-firewall-settings-for-dpm?view=sc-dpm-1801#BKMK_SQL


    Blog: https://thesystemcenterblog.com LinkedIn:

    • Proposed as answer by Leon Laude Thursday, January 17, 2019 9:59 AM
    • Marked as answer by John Lore Thursday, January 17, 2019 1:18 PM
    Wednesday, January 16, 2019 10:14 AM
  • I agree. I need to decide if I want to move my SQL server to a dedicated VM or move my SCCM stuff to a custom web site with non standard ports. Right now SQL is on the SCCM box (we only manage 80 clients and 16 server VMs)
    Wednesday, January 16, 2019 1:31 PM
  • I think Microsoft has been thinking that DPM should have its dedicated resources, otherwise they would have made this easier to change ports.

    Blog: https://thesystemcenterblog.com LinkedIn:

    Thursday, January 17, 2019 10:00 AM