
Contents
I had a customer ask if SCOM Reporting requires NTLM or not. So when I started digging for information on this, I found this blog post showing how to change SSRS to use Kerberos instead of NTLM: How to change SCOM reporting to use Kerberos instead of NTLM - Cloud management at your fingertips (mscloud.be)
I found that the article is missing some screenshots and seems to no longer be maintained. So, I thought it would be a good time to publish something for this.
What is Kerberos and NTLM
If you are wondering, what is NTLM? What is Kerberos? How do these help or hurt? This article goes into detail to explain the differences:
Difference between Kerberos and NTLM
SCOM Reporting Installation Quirk
Something you need to take into account is that the SCOM installation for Reporting will overwrite the rsreportserver.config
file and reverse any changes you may perform (which will set authentication back to NTLM). Which means you will need to apply the steps to change to Kerberos again AFTER SCOM Reporting Installation.
How to change SSRS Authentication
Manually change SSRS Authentication
- To change the report server authentication settings, edit the value in the
rsreportserver.config
file:C:\Program Files\Microsoft SQL Server Reporting Services\SSRS\ReportServer\rsreportserver.config
Replace
RSWindowsNTLM
withRSWindowsNegotiate
in the config file.
Automatically change SSRS Authentication with PowerShell
- This script will allow you to automatically set the Authentication for SSRS to Windows Negotiate instead of NTLM:
$RS = "root\Microsoft\SqlServer\ReportServer\" + ((Get-CimInstance -Namespace 'root\Microsoft\SqlServer\ReportServer' -ClassName __Namespace).CimInstanceProperties).Value | Select-Object -First 1 $RSV = $RS + "\" + (Get-CimInstance -Namespace $RS -ClassName __Namespace -ErrorAction Stop | Select-Object -First 1).Name + "\Admin" $RSInfo = Get-CimInstance -Namespace $RSV -ClassName MSReportServer_ConfigurationSetting -ErrorAction Stop (Get-Content ($RSInfo).PathName).Replace("<RSWindowsNTLM","<RSWindowsNegotiate") | Out-File ($RSInfo).PathName -Encoding UTF8
Set SSRS SPN’s
Using RSWindowsNegotiate will result in a Kerberos authentication error if you configured the Report Server service to run under a domain user account and you did not register a Service Principal Name (SPN) for the account. For more information on SPN’s for SSRS see:
Register a Service Principal Name (SPN) for a Report Server - SQL Server Reporting Services (SSRS) | Microsoft Learn
Check SSRS SPN’s
- The following command allows you to check the SPN’s for the SSRS Server, you will need to replace the username with the service account running SSRS:
setspn -l <domain>\<domain-user-account>
Manually set SSRS SPN’s
- The following command allows you to set the SPN’s for the SSRS Server:
setspn -s http/<computer-name>.<domain-name> <domain>\<domain-user-account>
Automatically set SSRS SPN’s
- The following script allows you to automatically set the SSRS SPN’s:
$RS = "root\Microsoft\SqlServer\ReportServer\" + ((Get-CimInstance -Namespace 'root\Microsoft\SqlServer\ReportServer' -ClassName __Namespace).CimInstanceProperties).Value | Select-Object -First 1 $RSV = $RS + "\" + (Get-CimInstance -Namespace $RS -ClassName __Namespace -ErrorAction Stop | Select-Object -First 1).Name + "\Admin" $RSInfo = Get-CimInstance -Namespace $RSV -ClassName MSReportServer_ConfigurationSetting -ErrorAction Stop # Get Computer FQDN $DNSComputerName = $env:COMPUTERNAME + '.' + (Get-CimInstance Win32_ComputerSystem).Domain # Set SSRS SPN $setspn = setspn -s "http/$DNSComputerName" "$($RSInfo.WindowsServiceIdentityActual)" if ($setspn -match "^Duplicate SPN found, aborting operation!$") { Write-Output "SPN is already set or duplicate SPN found." } # Check SSRS SPN setspn -l $RSInfo.WindowsServiceIdentityActual
Restart SSRS Service
- The following script allows you to restart the SSRS Service:
$RS = "root\Microsoft\SqlServer\ReportServer\" + ((Get-CimInstance -Namespace 'root\Microsoft\SqlServer\ReportServer' -ClassName __Namespace).CimInstanceProperties).Value | Select-Object -First 1 $RSV = $RS + "\" + (Get-CimInstance -Namespace $RS -ClassName __Namespace -ErrorAction Stop | Select-Object -First 1).Name + "\Admin" $RSInfo = Get-CimInstance -Namespace $RSV -ClassName MSReportServer_ConfigurationSetting -ErrorAction Stop # Restart SSRS Service Restart-Service ($RSInfo).ServiceName
Share on:
