You receive an error message in the Reporting Services trace log when you restart the Report Server service after you change the user account that is used to run the Report Server service (842421)


The information in this article applies to:

  • Microsoft SQL Server 2000 Reporting Services

SYMPTOMS

On a computer that is running Microsoft SQL Server 2000 Reporting Services, if you change the user account that you use to run the Report Server service, and then you restart the Report Server service, you may notice a behavior that is similar to the following:
  • If you change the user account that is used to run the Report Server Windows service, you may receive an error message that is similar to the following in the Reporting Services trace log:

    ReportingServicesService!crypto!d00!5/18/2004-13:10:54:: i INFO: Initializing 
 crypto as user: DomainName\UserName
ReportingServicesService!crypto!d00!5/18/2004-13:10:54:: i INFO: Exporting 
 public key
ReportingServicesService!crypto!d00!5/18/2004-13:10:55:: i INFO: Performing 
 sku validation
ReportingServicesService!crypto!d00!5/18/2004-13:10:55:: i INFO: Importing 
 existing encryption key
ReportingServicesService!library!d00!5/18/2004-13:10:55:: e ERROR: Throwing 
 Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: 
 The report server cannot decrypt the symmetric key used to access sensitive or 
 encrypted data in a report server database. You must either restore a backup key 
 or delete all encrypted content and then restart the service. Check the 
 documentation for more information., ; Info: 
Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: 
 The report server cannot decrypt the symmetric key used to access sensitive or 
 encrypted data in a report server database. You must either restore a backup 
 key or delete all encrypted content and then restart the service. Check the 
 documentation for more information. ---> 
System.Runtime.InteropServices.COMException (0x80090005): Bad Data.
 at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode, 
  IntPtr errorInfo)
 at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob)
 at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
 --- End of inner exception stack trace ---
ReportingServicesService!library!d00!5/18/2004-13:10:55:: Exception caught 
 while starting service. Error: 
 Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: 
 The report server cannot decrypt the symmetric key used to access sensitive or 
 encrypted data in a report server database. You must either restore a backup  
 key or delete all encrypted content and then restart the service. Check the 
 documentation for more information. ---> 
System.Runtime.InteropServices.COMException (0x80090005): Bad Data.
 at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode, 
  IntPtr errorInfo)
 at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob)
 at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
 --- End of inner exception stack trace ---
 at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
 at Microsoft.ReportingServices.Library.ConnectionManager.ConnectStorage()
 at Microsoft.ReportingServices.Library.ConnectionManager.VerifyConnection()
 at Microsoft.ReportingServices.Library.ServiceController.ServiceStartThread()
ReportingServicesService!library!d00!5/18/2004-13:10:55:: Attempting to start
 service again...
    Note By default, the Report Server Windows service trace log is recorded in the InstallationDrive:\Program Files\Microsoft SQL Server\InstanceOfSQLServer\Reporting Services\LogFiles\ReportServerService_TimeStamp.log file.
  • If you change the user account that is used to run the Report Server Web service, you may receive an error message that is similar to the following in the Reporting Services trace log:

    aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Initializing crypto as 
 user: UserName
aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Exporting public key
aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Performing sku validation
aspnet_wp!crypto!c84!5/21/2004-05:26:15:: i INFO: Importing existing encryption 
 key
aspnet_wp!library!c84!5/21/2004-05:26:15:: e ERROR: 
 Throwing Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: 
 The report server cannot decrypt the symmetric key used to access sensitive 
 or encrypted data in a report server database. You must either restore a 
 backup key or delete all encrypted content and then restart the service. 
 Check the documentation for more information., ;
Info: Microsoft.ReportingServices.Diagnostics.Utilities.ReportServerDisabledException: 
 The report server cannot decrypt the symmetric key used to access sensitive or 
 encrypted data in a report server database. You must either restore a backup 
 key or delete all encrypted content and then restart the service. Check the 
 documentation for more information. ---> 
 System.Runtime.InteropServices.COMException (0x80090005): Bad Data.
at System.Runtime.InteropServices.Marshal.ThrowExceptionForHR(Int32 errorCode, 
 IntPtr errorInfo)
at RSManagedCrypto.RSCrypto.ImportSymmetricKey(Byte[] pSymKeyBlob)
at Microsoft.ReportingServices.Library.ConnectionManager.GetEncryptionKey()
   --- End of inner exception stack trace ---
aspnet_wp!webserver!72c!5/21/2004-05:26:25:: i INFO: Reporting Web Server 
 stopped
    Note By default, the Report Server Web service trace log is recorded in the InstallationDrive:\Program Files\Microsoft SQL Server\InstanceOfSQLServer\Reporting Services\LogFiles\ReportServer_TimeStamp.log file.

    Additionally, when you start the Report Manager, you may receive an error message that is similar to the following:

    The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content and then restart the service. Check the documentation for more information. (rsReportServerDisabled) Get Online Help
    Bad Data.

CAUSE

The Report Server service uses the symmetric key to access the encrypted data in a report server database. This symmetric key is encrypted by using an asymmetric public key that corresponds to the computer and the user account that is used to run the Report Server service. When you change the user account that is used to run the Report Server service, the report server cannot use the asymmetric public key to decrypt the symmetric key. Therefore, the Report Server service cannot use the symmetric key to access the data from the report server database.

RESOLUTION

To resolve this problem, you must back up the encrypted keys before you change the user account that is used to run the Report Server Windows service or the Report Server Web service, and then you must apply the keys that were backed up. To do this, on the computer that is running the Reporting Services, follow these steps:
  1. Start the Report Server Windows service and the Report Server Web service by using the user account that the service was running successfully for.
  2. Use the rskeymgmt command-line utility to back up the encryption keys. To do this, run the following command at the command prompt:

    RSKeyMgmt -e -f FileName -p StrongPassword

    Note: Replace FileName and StrongPassword with an appropriate file name and an appropriate password. By default, the rskeymgmt command-line utility is located in the InstallationDrive:\Program Files\Microsoft SQL Server\80\Tools\Binn folder.

    For more information about the rskeymgmt command-line utility, run the following command at the command prompt:

    RSKeyMgmt /?

  3. Use the rskeymgmt command-line utility to remove the reference to the existing keys. To do this, run the following command at the command prompt:

    RSKeyMgmt -r InstallationID

    Note Replace InstallationID with the installation ID that is provided in the InstallationID setting of the RSReportServer.config file. By default, the RSReportServer.config file is stored in the InstallationDrive:\Program Files\Microsoft SQL Server\MSSQL\Reporting Services\ReportServer folder.
  4. Stop Microsoft Internet Information Services (IIS).
  5. Stop the Report Server Windows service.
  6. Change the user account that is used to run the Report Server Windows service or the Report Server Web service to the user account that you want.
  7. Start IIS.
  8. Start the Report Server Windows service.
  9. Use the rskeymgmt command-line utility to apply the encryption keys that were backed up in step 2. To do this, run the following command at the command prompt:

    RSKeyMgmt -a -f FileName -p StrongPassword

    Note Replace FileName and StrongPassword with the file name and the password that you used to back up the symmetric encryption keys in step 1.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For more information about Reporting Services trace logs, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/library/en-us/rsadmin/htm/arp_rslogfiles_v1_1m61.asp

For more information about the RSReportServer.config configuration file, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/en-us/rsadmin/htm/arp_configfiles_v1_1it5.asp

Modification Type:MinorLast Reviewed:7/16/2004
Keywords:kbtshoot kbConfig kbService kbReport kbMsg kbUser kbsettings kblogin kberrmsg kbprb KB842421 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.