How to change SQL Server Reporting Services to use Kerberos instead of NTLM

This article shows you how to change SSRS to use Kerberos instead of NTLM.

Posted by : on

Category : troubleshooting   guides   operationsManager   projects   security

I had a customer ask if SCOM Reporting requires NTLM or not. So when I started digging for information on this, I found this blog post showing how to change SSRS to use Kerberos instead of NTLM: How to change SCOM reporting to use Kerberos instead of NTLM - Cloud management at your fingertips (mscloud.be)

I found that the article is missing some screenshots and seems to no longer be maintained. So, I thought it would be a good time to publish something for this.

:book: What is Kerberos and NTLM

If you are wondering, what is NTLM? What is Kerberos? How do these help or hurt? This article goes into detail to explain the differences:
Difference between Kerberos and NTLM

:exclamation: SCOM Reporting Installation Quirk

Something you need to take into account is that the SCOM installation for Reporting will overwrite the rsreportserver.config file and reverse any changes you may perform (which will set authentication back to NTLM). Which means you will need to apply the steps to change to Kerberos again AFTER SCOM Reporting Installation.

:page_with_curl: How to change SSRS Authentication

:memo: Manually change SSRS Authentication

  • To change the report server authentication settings, edit the value in the rsreportserver.config file: 
    C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\rsreportserver.config

    Replace RSWindowsNTLM with RSWindowsNegotiate in the config file.

    My config file: https://files.blakedrumm.com/rsreportserver.config

:zap: Automatically change SSRS Authentication with PowerShell

  • This script will allow you to automatically set the Authentication for SSRS to Windows Negotiate instead of NTLM: 
    $RS = "root\Microsoft\SqlServer\ReportServer\" + ((Get-CimInstance -Namespace 'root\Microsoft\SqlServer\ReportServer' -ClassName __Namespace).CimInstanceProperties).Value | Select-Object -First 1
$RSV = $RS + "\" + (Get-CimInstance -Namespace $RS -ClassName __Namespace -ErrorAction Stop | Select-Object -First 1).Name + "\Admin"
$RSInfo = Get-CimInstance -Namespace $RSV -ClassName MSReportServer_ConfigurationSetting -ErrorAction Stop
(Get-Content ($RSInfo).PathName).Replace("<RSWindowsNTLM","<RSWindowsNegotiate") | Out-File ($RSInfo).PathName -Encoding UTF8

:page_with_curl: Set SSRS SPN’s

Using RSWindowsNegotiate will result in a Kerberos authentication error if you configured the Report Server service to run under a domain user account and you did not register a Service Principal Name (SPN) for the account. For more information on SPN’s for SSRS see:
Register a Service Principal Name (SPN) for a Report Server - SQL Server Reporting Services (SSRS) | Microsoft Learn

:memo: Check SSRS SPN’s

  • The following command allows you to check the SPN’s for the SSRS Server, you will need to replace the username with the service account running SSRS: 
    setspn -l <domain>\<domain-user-account>

:memo: Manually set SSRS SPN’s

  • The following command allows you to set the SPN’s for the SSRS Server: 
    setspn -s http/<computer-name>.<domain-name> <domain>\<domain-user-account>

:zap: Automatically set SSRS SPN’s

  • The following script allows you to automatically set the SSRS SPN’s: 
    $RS = "root\Microsoft\SqlServer\ReportServer\" + ((Get-CimInstance -Namespace 'root\Microsoft\SqlServer\ReportServer' -ClassName __Namespace).CimInstanceProperties).Value | Select-Object -First 1
$RSV = $RS + "\" + (Get-CimInstance -Namespace $RS -ClassName __Namespace -ErrorAction Stop | Select-Object -First 1).Name + "\Admin"
$RSInfo = Get-CimInstance -Namespace $RSV -ClassName MSReportServer_ConfigurationSetting -ErrorAction Stop

# Get Computer FQDN
$DNSComputerName = $env:COMPUTERNAME + '.' + (Get-CimInstance Win32_ComputerSystem).Domain

# Set SSRS SPN
$setspn = setspn -s "http/$DNSComputerName" "$($RSInfo.WindowsServiceIdentityActual)"

if ($setspn -match "^Duplicate SPN found, aborting operation!$")
{
    Write-Output "SPN is already set or duplicate SPN found."
}

# Check SSRS SPN
setspn -l $RSInfo.WindowsServiceIdentityActual

:memo: Restart SSRS Service

  • The following script allows you to restart the SSRS Service: 
    $RS = "root\Microsoft\SqlServer\ReportServer\" + ((Get-CimInstance -Namespace 'root\Microsoft\SqlServer\ReportServer' -ClassName __Namespace).CimInstanceProperties).Value | Select-Object -First 1
$RSV = $RS + "\" + (Get-CimInstance -Namespace $RS -ClassName __Namespace -ErrorAction Stop | Select-Object -First 1).Name + "\Admin"
$RSInfo = Get-CimInstance -Namespace $RSV -ClassName MSReportServer_ConfigurationSetting -ErrorAction Stop

# Restart SSRS Service
Restart-Service ($RSInfo).ServiceName

Page Views


Share on:
About Blake Drumm
Blake Drumm

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suit my customers, and my own needs.

Email :

Website :

About Blake Drumm

My name is Blake Drumm, I am working on the System Center Enterprise Management Team with Microsoft. Currently working to update public documentation for System Center products and write troubleshooting guides to assist with fixing issues that may arise while using the products. I like to blog on Operations Manager products mostly, keep checking back for new posts. My goal is to post atleast once a month if possible.

Follow @blakedrumm
Categories
  • powershell
  • projects
  • operationsManager
  • troubleshooting
  • guides
  • certificates
  • linux
  • security
    • Useful Links
  • Home
  • About
  • Blog
  • Contact