We are having an issue getting Report Manager to work with SSL.
Here's the setup:
We have thatken the forms authetication example and have modified it
to suit our needs, and it works fine (no SSL at this point). Now, we
want to make our application available over the Internet, so we have
gotten a certificate from VeriSign and turned on SSL - the application
works fine.
The snag comes in with trying to access the Report Manager (even from
the machine it is installed on). When I debug using Visual Studio,
the problem occurs in the UILogin.aspx when calling the
ReportingService's LogonUser class. The error that is reported is
"The underlying connection was closed: Could not establish trust
relationship with remote server." It seems like the cetificate is not
being accepted by the reporting service. From reading this forum, I
understand that the URL of the ReportingService object should be set
to "https://<machine_name>/ReportServer/reportservice.asmx". However,
our certificate from VeriSign has our production website name, which
obviously does not match the machine name. Could this be causing the
problem? If so, is there a way around this?
We do NOT want the Report Manger available over the internet, just
locally. A hokey solution is OK, as long as it keeps the Reporting
Service secure. I anybody has any insights into this situation would
be greatly appreaciated.
Thanks,
Terry RomanceTerry,
Is UseSSL in the the Report Manager RSWebApplication.config file on, such
as:
<UI>
<CustomAuthenticationUI>
<loginUrl>/Pages/UILogon.aspx</loginUrl>
<UseSSL>True</UseSSL>
</CustomAuthenticationUI>
<!--Change the following line to reflect the computer name where RS is
installed. DON NOT USE LOCALHOST-->
<ReportServerUrl>http://MyRSServer/ReportServer</ReportServerUrl>
</UI>
Yes, it will be a good idea to move the Report Manager to a private subnet
if you don't need it to be accessible on Internet. But I don't think this
will solve your issue.
In addition make sure your access the Report Manager by using the computer
name where it is not installed, not localhost.
--
Hope this helps.
---
Teo Lachev, MCSD, MCT
Author: "Microsoft Reporting Services in Action"
http://www.manning.com/lachev
Home page and blog http://www.prologika.com
---
"Terry Romance" <tedgromance@.yahoo.com> wrote in message
news:f284ebe.0408231338.3fa07029@.posting.google.com...
> We are having an issue getting Report Manager to work with SSL.
> Here's the setup:
> We have thatken the forms authetication example and have modified it
> to suit our needs, and it works fine (no SSL at this point). Now, we
> want to make our application available over the Internet, so we have
> gotten a certificate from VeriSign and turned on SSL - the application
> works fine.
> The snag comes in with trying to access the Report Manager (even from
> the machine it is installed on). When I debug using Visual Studio,
> the problem occurs in the UILogin.aspx when calling the
> ReportingService's LogonUser class. The error that is reported is
> "The underlying connection was closed: Could not establish trust
> relationship with remote server." It seems like the cetificate is not
> being accepted by the reporting service. From reading this forum, I
> understand that the URL of the ReportingService object should be set
> to "https://<machine_name>/ReportServer/reportservice.asmx". However,
> our certificate from VeriSign has our production website name, which
> obviously does not match the machine name. Could this be causing the
> problem? If so, is there a way around this?
> We do NOT want the Report Manger available over the internet, just
> locally. A hokey solution is OK, as long as it keeps the Reporting
> Service secure. I anybody has any insights into this situation would
> be greatly appreaciated.
> Thanks,
> Terry Romance|||Teo,
Thanks for the reply. I have SSL turned on, and here is the
relevant section of the RSWebApplication.config file:
<UI>
<CustomAuthenticationUI>
<loginUrl>/Pages/UILogin.aspx</loginUrl>
<UseSSL>True</UseSSL>
</CustomAuthenticationUI>
<ReportServerUrl>https://<machine_name>/ReportServer</ReportServerUrl>
</UI>
(I have the actual machine name, not 'localhost')
I also have the following in RSReportServer.config:
<Add Key="SecureConnectionLevel" Value="3"/>
I noticed in your post you had http: instead of https: - when I tried
making that change in the RSWebApplication.config file, I received the
following exception instead:
"The operation you are attempting requires a secure connection
(HTTPS)."
So, I'm guessing that the https: is correct.
Does my guess that it is a problem with the difference between the
name in the config file and the name on the certificate that is
causing the error?
I can validate the user directly using my own code, but is there any
way I could create a certificate on the fly and pass it to the Report
Server so that it will then allow the user into the Report Manager?
Currently we are stuck with switching back to Windows authentication
or turning off SSL.
Any ideas would be helpful at this point.
Thanks,
Terry
"Teo Lachev" <teo@.nospam.prologika.com> wrote in message news:<eeC9HLYiEHA.3876@.TK2MSFTNGP12.phx.gbl>...
> Terry,
> Is UseSSL in the the Report Manager RSWebApplication.config file on, such
> as:
> <UI>
> <CustomAuthenticationUI>
> <loginUrl>/Pages/UILogon.aspx</loginUrl>
> <UseSSL>True</UseSSL>
> </CustomAuthenticationUI>
> <!--Change the following line to reflect the computer name where RS is
> installed. DON NOT USE LOCALHOST-->
> <ReportServerUrl>http://MyRSServer/ReportServer</ReportServerUrl>
> </UI>
> Yes, it will be a good idea to move the Report Manager to a private subnet
> if you don't need it to be accessible on Internet. But I don't think this
> will solve your issue.
> In addition make sure your access the Report Manager by using the computer
> name where it is not installed, not localhost.
> --
> Hope this helps.
> ---
> Teo Lachev, MCSD, MCT
> Author: "Microsoft Reporting Services in Action"
> http://www.manning.com/lachev
> Home page and blog http://www.prologika.com
> ---|||Terry,
Yes, it should be https. I doubt that the problem is with the certificate.
What does navigating to https://machine_name/reportserver give you?
In addition, according to your explanation this error only happens with the
Report Manager. Have you tried callling LogonUser from another application?
Is the call successful?
--
Hope this helps.
---
Teo Lachev, MCSD, MCT
Author: "Microsoft Reporting Services in Action"
http://www.manning.com/lachev
Home page and blog http://www.prologika.com
---
"Terry Romance" <tedgromance@.yahoo.com> wrote in message
news:f284ebe.0408240416.130c778e@.posting.google.com...
> Teo,
> Thanks for the reply. I have SSL turned on, and here is the
> relevant section of the RSWebApplication.config file:
> <UI>
> <CustomAuthenticationUI>
> <loginUrl>/Pages/UILogin.aspx</loginUrl>
> <UseSSL>True</UseSSL>
> </CustomAuthenticationUI>
> <ReportServerUrl>https://<machine_name>/ReportServer</ReportServerUrl>
> </UI>
> (I have the actual machine name, not 'localhost')
> I also have the following in RSReportServer.config:
> <Add Key="SecureConnectionLevel" Value="3"/>
> I noticed in your post you had http: instead of https: - when I tried
> making that change in the RSWebApplication.config file, I received the
> following exception instead:
> "The operation you are attempting requires a secure connection
> (HTTPS)."
> So, I'm guessing that the https: is correct.
> Does my guess that it is a problem with the difference between the
> name in the config file and the name on the certificate that is
> causing the error?
> I can validate the user directly using my own code, but is there any
> way I could create a certificate on the fly and pass it to the Report
> Server so that it will then allow the user into the Report Manager?
> Currently we are stuck with switching back to Windows authentication
> or turning off SSL.
> Any ideas would be helpful at this point.
> Thanks,
> Terry
>
> "Teo Lachev" <teo@.nospam.prologika.com> wrote in message
news:<eeC9HLYiEHA.3876@.TK2MSFTNGP12.phx.gbl>...
> > Terry,
> >
> > Is UseSSL in the the Report Manager RSWebApplication.config file on,
such
> > as:
> >
> > <UI>
> > <CustomAuthenticationUI>
> > <loginUrl>/Pages/UILogon.aspx</loginUrl>
> > <UseSSL>True</UseSSL>
> > </CustomAuthenticationUI>
> > <!--Change the following line to reflect the computer name where RS is
> > installed. DON NOT USE LOCALHOST-->
> > <ReportServerUrl>http://MyRSServer/ReportServer</ReportServerUrl>
> > </UI>
> >
> > Yes, it will be a good idea to move the Report Manager to a private
subnet
> > if you don't need it to be accessible on Internet. But I don't think
this
> > will solve your issue.
> >
> > In addition make sure your access the Report Manager by using the
computer
> > name where it is not installed, not localhost.
> >
> > --
> > Hope this helps.
> >
> > ---
> > Teo Lachev, MCSD, MCT
> > Author: "Microsoft Reporting Services in Action"
> > http://www.manning.com/lachev
> > Home page and blog http://www.prologika.com
> > ---|||Teo,
Thanks for your continuing help.
When I navigate to "https://machine_name/reportserver", it
redirects me to the Report Server's login screen (Login.aspx, not the
Report Manager's login, which is UILogin.apsx). I am able to login
successfully there - the validation is handled by my own DB lookup, it
then calls FormsAuthentication.RedirectFromLoginPage if the user is
verified.
I did try connecting to the report manager from an externally
(since I believed this would resolve any differences between the
domain name I was connecting to, and the name on the certificate). In
the debugger, execution seemed to hang on the LogonUser call, before
it eventually returned the following message:
"A connection attempt failed because the connected party did not
properly respond after a period of time, or established connection
failed because connected host has failed to respond."
This is different from the message I received when trying to
connect internally (the "trused connection" message). I never
received any prompt message in IE running on the external machine to
indicate that it was waiting for input. Does this help narrow down
what the problem might be?
I have not tried calling LogonUser from another application, but
I will try doing that and post the results.
Again, I appreciate all your help.
Thanks,
Terry
"Teo Lachev" <teo@.nospam.prologika.com> wrote in message news:<ekCmv1diEHA.3944@.tk2msftngp13.phx.gbl>...
> Terry,
> Yes, it should be https. I doubt that the problem is with the certificate.
> What does navigating to https://machine_name/reportserver give you?
> In addition, according to your explanation this error only happens with the
> Report Manager. Have you tried callling LogonUser from another application?
> Is the call successful?
> --
> Hope this helps.
> ---
> Teo Lachev, MCSD, MCT
> Author: "Microsoft Reporting Services in Action"
> http://www.manning.com/lachev
> Home page and blog http://www.prologika.com
> ---
>|||Teo,
I hope you are still out there monitoring this thread. I'm
sorry, but we had another issue here that required my attention.
I was finally able to try to code a small test application to
call LogonUser. The result is the same: "The underlying connection
was closed: Could not establish trust relationship with remote
server."
We are currently stuck with switching back to the original config
files and Windows Authentication to access the Report Manager, and
then going back to our custom security when we are done, but this is
by no means a good long-term solution. At this point, I'll welcome
any suggestion or experiment to try.
Thanks in advance.
- Terry
> "Teo Lachev" <teo@.nospam.prologika.com> wrote in message news:<ekCmv1diEHA.3944@.tk2msftngp13.phx.gbl>...
> > Terry,
> >
> > Yes, it should be https. I doubt that the problem is with the certificate.
> > What does navigating to https://machine_name/reportserver give you?
> >
> > In addition, according to your explanation this error only happens with the
> > Report Manager. Have you tried callling LogonUser from another application?
> > Is the call successful?
> > --
> > Hope this helps.
> >
> > ---
> > Teo Lachev, MCSD, MCT
> > Author: "Microsoft Reporting Services in Action"
> > http://www.manning.com/lachev
> > Home page and blog http://www.prologika.com
> > ---
> >|||Terry,
Check these threads:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&q=%22The+underlying+connection+was+closed%3A+Could+not+establish+trust+relationship+%22&btnG=Search
In addition, if you use client certificates review this:
This article was previously published under Q318103
SYMPTOMS
Note The following .NET Framework Class Library namespaces are referenced in
this article:
System.Web.Services
System.Security.Cryptography.X509Certificates
When you try to pass a client certificate from an ASP.NET page to a Web
service that requires Secure Sockets Layer (SSL) and client certificates,
you receive the following error message:
403 Access Denied
CAUSE
A certificate is associated with the user ID of the user who installed the
certificate (this is the certificate user); therefore, the certificate is
available only when that user profile is loaded. If no one is logged on to
the computer, or if a user other than the certificate owner is logged on,
the certificate is not accessible.
If you access the Web service .asmx file from a browser that passes the
certificates to you, you do not encounter this problem.
The following ASP.NET code fails when calling SimpleServices, which expects
a client certificate:
public void Submit_HelloWorldClick(Object sender, EventArgs E)
{
// Instantiate the proxy class for the web service
SimpleService service = new SimpleService();
// Pass in credentials using NTLM
service.Credentials = CredentialCache.DefaultCredentials;
// Load the client certificate from a file
X509Certificate x509 =X509Certificate.CreateFromCertFile(@."c:\user_der.cer");
service.ClientCertificates.Add(x509);
// Call the service
Result.Text = service.HelloWorld();
}
RESOLUTION
To resolve this issue, invoke the Web service from a Serviced Component, and
use a Microsoft Windows service to automatically load the profile of the
certificate user so that the Serviced Component can retrieve the client
certificate and then communicate with the Web service over SSL.
1.. Create a Windows service program with only one function to run under
the certificate user identity.
2.. Create a Serviced Component that runs under the identity of the
certificate user.
3.. Move the authentication code from the ASP.NET application to the
Serviced Component. Verify that the Serviced Component runs under the
identity of the certificate user.
4.. Call the Serviced Component method from the ASP.NET Web application.
STATUS
This behavior is by design.
--
Hope this helps.
----
Teo Lachev, MCSD, MCT
Author: "Microsoft Reporting Services in Action"
Publisher website: http://www.manning.com/lachev
Buy it from Amazon.com: http://shrinkster.com/eq
Home page and blog: http://www.prologika.com/
----
"Terry Romance" <tedgromance@.yahoo.com> wrote in message
news:f284ebe.0409131008.e9801ec@.posting.google.com...
> Teo,
> I hope you are still out there monitoring this thread. I'm
> sorry, but we had another issue here that required my attention.
> I was finally able to try to code a small test application to
> call LogonUser. The result is the same: "The underlying connection
> was closed: Could not establish trust relationship with remote
> server."
> We are currently stuck with switching back to the original config
> files and Windows Authentication to access the Report Manager, and
> then going back to our custom security when we are done, but this is
> by no means a good long-term solution. At this point, I'll welcome
> any suggestion or experiment to try.
> Thanks in advance.
> - Terry
> > "Teo Lachev" <teo@.nospam.prologika.com> wrote in message
news:<ekCmv1diEHA.3944@.tk2msftngp13.phx.gbl>...
> > > Terry,
> > >
> > > Yes, it should be https. I doubt that the problem is with the
certificate.
> > > What does navigating to https://machine_name/reportserver give you?
> > >
> > > In addition, according to your explanation this error only happens
with the
> > > Report Manager. Have you tried callling LogonUser from another
application?
> > > Is the call successful?
> > > --
> > > Hope this helps.
> > >
> > > ---
> > > Teo Lachev, MCSD, MCT
> > > Author: "Microsoft Reporting Services in Action"
> > > http://www.manning.com/lachev
> > > Home page and blog http://www.prologika.com
> > > ---
> > >|||Basically, you have to disable certificate checking for the RM application.
You do this by writing a custom certificate checker and just ignoring errors
in that checker. You can make this part of your UILogon code.
Hope this helps.
--Carlos
"Teo Lachev" <teo.lachev@.nospam.prologika.com> wrote in message
news:uWfcNndmEHA.512@.TK2MSFTNGP10.phx.gbl...
> Terry,
> Check these threads:
>
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&q=%22The+underlying+connection+was+closed%3A+Could+not+establish+trust+relationship+%22&btnG=Search
> In addition, if you use client certificates review this:
> This article was previously published under Q318103
> SYMPTOMS
> Note The following .NET Framework Class Library namespaces are referenced
in
> this article:
> System.Web.Services
> System.Security.Cryptography.X509Certificates
> When you try to pass a client certificate from an ASP.NET page to a Web
> service that requires Secure Sockets Layer (SSL) and client certificates,
> you receive the following error message:
> 403 Access Denied
> CAUSE
> A certificate is associated with the user ID of the user who installed the
> certificate (this is the certificate user); therefore, the certificate is
> available only when that user profile is loaded. If no one is logged on to
> the computer, or if a user other than the certificate owner is logged on,
> the certificate is not accessible.
> If you access the Web service .asmx file from a browser that passes the
> certificates to you, you do not encounter this problem.
> The following ASP.NET code fails when calling SimpleServices, which
expects
> a client certificate:
> public void Submit_HelloWorldClick(Object sender, EventArgs E)
> {
> // Instantiate the proxy class for the web service
> SimpleService service = new SimpleService();
> // Pass in credentials using NTLM
> service.Credentials = CredentialCache.DefaultCredentials;
> // Load the client certificate from a file
> X509Certificate x509 => X509Certificate.CreateFromCertFile(@."c:\user_der.cer");
> service.ClientCertificates.Add(x509);
> // Call the service
> Result.Text = service.HelloWorld();
> }
> RESOLUTION
> To resolve this issue, invoke the Web service from a Serviced Component,
and
> use a Microsoft Windows service to automatically load the profile of the
> certificate user so that the Serviced Component can retrieve the client
> certificate and then communicate with the Web service over SSL.
> 1.. Create a Windows service program with only one function to run under
> the certificate user identity.
> 2.. Create a Serviced Component that runs under the identity of the
> certificate user.
> 3.. Move the authentication code from the ASP.NET application to the
> Serviced Component. Verify that the Serviced Component runs under the
> identity of the certificate user.
> 4.. Call the Serviced Component method from the ASP.NET Web application.
> STATUS
> This behavior is by design.
> --
> Hope this helps.
> ----
> Teo Lachev, MCSD, MCT
> Author: "Microsoft Reporting Services in Action"
> Publisher website: http://www.manning.com/lachev
> Buy it from Amazon.com: http://shrinkster.com/eq
> Home page and blog: http://www.prologika.com/
> ----
> "Terry Romance" <tedgromance@.yahoo.com> wrote in message
> news:f284ebe.0409131008.e9801ec@.posting.google.com...
> > Teo,
> >
> > I hope you are still out there monitoring this thread. I'm
> > sorry, but we had another issue here that required my attention.
> >
> > I was finally able to try to code a small test application to
> > call LogonUser. The result is the same: "The underlying connection
> > was closed: Could not establish trust relationship with remote
> > server."
> >
> > We are currently stuck with switching back to the original config
> > files and Windows Authentication to access the Report Manager, and
> > then going back to our custom security when we are done, but this is
> > by no means a good long-term solution. At this point, I'll welcome
> > any suggestion or experiment to try.
> >
> > Thanks in advance.
> >
> > - Terry
> >
> > > "Teo Lachev" <teo@.nospam.prologika.com> wrote in message
> news:<ekCmv1diEHA.3944@.tk2msftngp13.phx.gbl>...
> > > > Terry,
> > > >
> > > > Yes, it should be https. I doubt that the problem is with the
> certificate.
> > > > What does navigating to https://machine_name/reportserver give you?
> > > >
> > > > In addition, according to your explanation this error only happens
> with the
> > > > Report Manager. Have you tried callling LogonUser from another
> application?
> > > > Is the call successful?
> > > > --
> > > > Hope this helps.
> > > >
> > > > ---
> > > > Teo Lachev, MCSD, MCT
> > > > Author: "Microsoft Reporting Services in Action"
> > > > http://www.manning.com/lachev
> > > > Home page and blog http://www.prologika.com
> > > > ---
> > > >
>|||Carlos,
Thanks for the reply. If it makes a difference, we are NOT using
client certificates.
Excuse me for asking, but I am relatively new with Reporting
Services, Visual Studio .NET, SSL and certificates, and I have no idea
how to disable certificate checking, much less write my own. Do you
have an example, or know a location on the web that might have one?
Thanks,
Terry
"Carlos C Tapang" <ctapang@.centerus.com> wrote in message news:<u##uaRzmEHA.2680@.TK2MSFTNGP15.phx.gbl>...
> Basically, you have to disable certificate checking for the RM application.
> You do this by writing a custom certificate checker and just ignoring errors
> in that checker. You can make this part of your UILogon code.
> Hope this helps.
> --Carlos
>|||Teo,
Thank you for the reply. I think I have read each of those posts
you link to several times each, to no avail, but I will keep digging
through them.
We are not using client certificates in our application.
I have been trying something different lately - linking to the
reporting service from a different machine using the URL that matches
the one on the certificate we were issued by VeriSign. I think I
managed to get around the "could not established trusted connection"
error, but am now getting SOAP errors. When I get more specific
details, I will post them here.
Thanks against for your continuing assistance.
- Terry
"Teo Lachev" <teo.lachev@.nospam.prologika.com> wrote in message news:<uWfcNndmEHA.512@.TK2MSFTNGP10.phx.gbl>...
> Terry,
> Check these threads:
> http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&q=%22The+underlying+connection+was+closed%3A+Could+not+establish+trust+relationship+%22&btnG=Search
> In addition, if you use client certificates review this:
> (snip)
>|||Terry,
I don't know what it's causing your grief. I have implemented Forms
Authentication over SSL and didn't have a problem. Have you tried create a
sample web service on that box and calling it just to eliminate RS?
--
Hope this helps.
----
Teo Lachev, MCSD, MCT
Author: "Microsoft Reporting Services in Action"
Publisher website: http://www.manning.com/lachev
Buy it from Amazon.com: http://shrinkster.com/eq
Home page and blog: http://www.prologika.com/
----
"Terry Romance" <tedgromance@.yahoo.com> wrote in message
news:f284ebe.0409200920.4627cee3@.posting.google.com...
> Teo,
> Thank you for the reply. I think I have read each of those posts
> you link to several times each, to no avail, but I will keep digging
> through them.
> We are not using client certificates in our application.
> I have been trying something different lately - linking to the
> reporting service from a different machine using the URL that matches
> the one on the certificate we were issued by VeriSign. I think I
> managed to get around the "could not established trusted connection"
> error, but am now getting SOAP errors. When I get more specific
> details, I will post them here.
> Thanks against for your continuing assistance.
> - Terry
> "Teo Lachev" <teo.lachev@.nospam.prologika.com> wrote in message
news:<uWfcNndmEHA.512@.TK2MSFTNGP10.phx.gbl>...
> > Terry,
> >
> > Check these threads:
> >
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&q=%22The+underlying+connection+was+closed%3A+Could+not+establish+trust+relationship+%22&btnG=Search
> >
> > In addition, if you use client certificates review this:
> >
> > (snip)
> >|||Teo,
Thanks, I will give that a try, which might not be for awhile -
we just ran into major performance issues. (We had 10 people try to
bring up reports at once, and I think it broke our Forms
Authentication - cookies seemed to disappear!)
Anyway, I hope you'll still be monitoring this when I get back to
checking this issue. Thanks again for all your help.
- Terry
"Teo Lachev" <teo.lachev@.nospam.prologika.com> wrote in message news:<Od#tw23nEHA.3628@.TK2MSFTNGP09.phx.gbl>...
> Terry,
> I don't know what it's causing your grief. I have implemented Forms
> Authentication over SSL and didn't have a problem. Have you tried create a
> sample web service on that box and calling it just to eliminate RS?
> --
> Hope this helps.
> ----
> Teo Lachev, MCSD, MCT
> Author: "Microsoft Reporting Services in Action"
> Publisher website: http://www.manning.com/lachev
> Buy it from Amazon.com: http://shrinkster.com/eq
> Home page and blog: http://www.prologika.com/
> ----
>sql
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment