Hi,
I have an SP 2013 instance with SQL 2012 SP1 SSRS running.
Until recently, it was operating fine. Now, however, I cannot access
the "System Settings" configuration page in Central Admin. I get the
following error:
The report server cannot
decrypt the symmetric key that is used to access sensitive or encrypted data in
a report server database. You must either restore a backup key or delete all
encrypted content. --->
Microsoft.ReportingServices.Library.ReportServerDisabledException: The report
server cannot decrypt the symmetric key that is used to access sensitive or
encrypted data in a report server database. You must either restore a backup key
or delete all encrypted content. ---> System.Security.SecurityException:
Requested registry access is not allowed.
No, I don't
have a backup copy of the key (dumb, I know). I have also tried deleting
keys from CA, but this doesn't seem to allow access either. I have run
repairs of the SQL Server SSRS for Sharepoint component, and the
rsaddin. Have also granted explicit read access to the farm admin
account and the WSS_WPG to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Reporting Services
The
only thing that has changed in the environment is that we were playing
around with authentication settings on IIS (the server also hosts other
sites) - specifically Enhanced protection. This is switched off for all
relevant sites, but an earlier error I was getting in the rs log file
was pointing at a missing config entry for WindowsEnhancedProtection -
which I've added (with settings "Off", and "Any").
Report service log file is giving me:
ERROR: Throwing
Microsoft.ReportingServices.Library.ReportServerDisabledException: ,
Microsoft.ReportingServices.Library.ReportServerDisabledException: The
report server cannot decrypt the symmetric key that is used to access
sensitive or encrypted data in a report server database. You must either
restore a backup key or delete all encrypted content. --->
System.Security.SecurityException: Requested registry access is not
allowed.
at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
at RSManagedCrypto.RSCrypto.Load(Guid id)
at Microsoft.ReportingServices.ServiceRuntime.ReportServiceBase.InitializeAppDomainSingletons()
on
service start. RS database is on a separate server, and we are using
Kerberos auth. Have checked IIS that "Negotiate" is set properly for
the site. Kernel mode protection is on. Enhanced protection is off.
Running out of ideas...any help appreciated.
regards,
Steve.