Microsoft KB Archive/842421

= You receive an error message in the Reporting Services trace log when you restart the Report Server service after you change the user account that is used to run the Report Server service =

Article ID: 842421

Article Last Modified on 3/29/2007

-

APPLIES TO


 * Microsoft SQL Server 2000 Reporting Services

-



SYMPTOMS
On a computer that is running Microsoft SQL Server 2000 Reporting Services, if you change the user account that you use to run the Report Server service, and then you restart the Report Server service, you may notice a behavior that is similar to the following:  If you change the user account that is used to run the Report Server Windows service, you may receive an error message that is similar to the following in the Reporting Services trace log:

 ReportingServicesService!crypto!d00!5/18/2004-13:10:54:: i INFO: Initializing crypto as user: DomainName\UserName ReportingServicesService!crypto!d00!5/18/2004-13:10:54:: i INFO: Exporting public key ReportingServicesService!crypto!d00!5/18/2004-13:10:55:: i INFO: Performing sku validation ReportingServicesService!crypto!d00!5/18/2004-13:10:55:: i INFO: Importing existing encryption key ReportingServicesService!library!d00!5/18/2004-13:10:55:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service. Check the documentation for more information., ; Info: Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service. Check the documentation for more information. ---> System.Runtime.InteropServices.COMException (0x80090005): Bad Data. at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode,  IntPtr errorInfo) at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob) at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey --- End of inner exception stack trace --- ReportingServicesService!library!d00!5/18/2004-13:10:55:: Exception caught while starting service. Error: Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service. Check the documentation for more information. ---> System.Runtime.InteropServices.COMException (0x80090005): Bad Data. at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode,  IntPtr errorInfo) at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob) at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey --- End of inner exception stack trace --- at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey at Microsoft.ReportingServices.Library.ConnectionManager.ConnectStorage at Microsoft.ReportingServices.Library.ConnectionManager.VerifyConnection at Microsoft.ReportingServices.Library.ServiceController.ServiceStartThread ReportingServicesService!library!d00!5/18/2004-13:10:55:: Attempting to start service again...

Note By default, the Report Server Windows service trace log is recorded in the :\Program Files\Microsoft SQL Server\ \Reporting Services\LogFiles\ReportServerService_ .log file. If you change the user account that is used to run the Report Server Web service, you may receive an error message that is similar to the following in the Reporting Services trace log:

 aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Initializing crypto as user: UserName aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Exporting public key aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Performing sku validation aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Importing existing encryption key aspnet_wp!library!c84!5/21/2004-05:26:15:: e ERROR: Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service. Check the documentation for more information., ; Info: Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service. Check the documentation for more information. ---> System.Runtime.InteropServices.COMException (0x80090005): Bad Data. at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode, IntPtr errorInfo) at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob) at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey --- End of inner exception stack trace --- aspnet_wp!webserver!72c!5/21/2004-05:26:25:: i INFO: Reporting Web Server stopped

Note By default, the Report Server Web service trace log is recorded in the :\Program Files\Microsoft SQL Server\ \Reporting Services\LogFiles\ReportServer_ .log file.

Additionally, when you start the Report Manager, you may receive an error message that is similar to the following:

The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service. Check the documentation for more information. (rsReportServerDisabled) Get Online Help

Bad Data.





CAUSE
The Report Server service uses the symmetric key to access the encrypted data in a report server database. This symmetric key is encrypted by using an asymmetric public key that corresponds to the computer and the user account that is used to run the Report Server service. When you change the user account that is used to run the Report Server service, the report server cannot use the asymmetric public key to decrypt the symmetric key. Therefore, the Report Server service cannot use the symmetric key to access the data from the report server database.



RESOLUTION
To resolve this problem, you must back up the encrypted keys before you change the user account that is used to run the Report Server Windows service or the Report Server Web service, and then you must apply the keys that were backed up. To do this, on the computer that is running the Reporting Services, follow these steps:  Start the Report Server Windows service and the Report Server Web service by using the user account that the service was running successfully for. Use the rskeymgmt command-line utility to back up the encryption keys. To do this, run the following command at the command prompt:

RSKeyMgmt -e -f  -p

Note: Replace  and   with an appropriate file name and an appropriate password. By default, the rskeymgmt command-line utility is located in the :\Program Files\Microsoft SQL Server\80\Tools\Binn folder.

For more information about the rskeymgmt command-line utility, run the following command at the command prompt:

RSKeyMgmt /?

 Use the rskeymgmt command-line utility to remove the reference to the existing keys. To do this, run the following command at the command prompt:

RSKeyMgmt -r

Note Replace  with the installation ID that is provided in the InstallationID setting of the RSReportServer.config file. By default, the RSReportServer.config file is stored in the :\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer folder.</li> Stop Microsoft Internet Information Services (IIS).</li> Stop the Report Server Windows service.</li> Change the user account that is used to run the Report Server Windows service or the Report Server Web service to the user account that you want.</li> Start IIS.</li> Start the Report Server Windows service.</li> Use the rskeymgmt command-line utility to apply the encryption keys that were backed up in step 2. To do this, run the following command at the command prompt:

RSKeyMgmt -a -f  -p

Note Replace  and   with the file name and the password that you used to back up the symmetric encryption keys in step 1.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Additional query words: security context under

<div class="references_section">