First published on TECHNET on Jan 29, 2019
Hello, my name is Richard McIver and I'm a Premier Field Engineer with Microsoft specializing in System Center Configuration Manager.
I was recently working with a customer who suddenly started receiving a strange KDC error when attempting to run Configuration Manager reports from either within the Administration Console or the Reporting Services web portal. It took quite a bit of troubleshooting to isolate the root cause, so I'd just like to share our findings and resolution steps.
When running Configuration Manager reports that rely on Role Based Access Control (RBAC), SQL Server Reporting Services (SSRS) will attempt to communicate with Active Directory via Kerberos authentication to resolve the Security Identifier (SID) of the user.
However, when this customer attempted to run reports with RBAC embedded, the following error was displayed and the report failed to load.
The DefaultValue expression for the report parameter 'UserTokenSIDs' contains an error: The encryption type requested is not supported by the KDC. (rsRuntimeErrorInExpression)
The customer environment was SQL Server 2016 Reporting Services running on Windows Server 2012 R2, however I've since been able to replicate this issue on Windows Server 2016 as well.
We eventually traced the root cause down to a security policy settings on the reporting point server that was recently configured via domain Group Policy Object (GPO).
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos: AES128_HMAC_SH1, AES256_HMAC_SHA1, Future encryption types selected
As configured, this setting has the effect of limiting the encryption types allowed for Kerberos authentication from the reporting point server to only AES128, AES256, and Future encryption types.
However, the service account used by the SQL Reporting Services service was not properly configured to support these algorithms. Instead, SSRS was attempting to authenticate using the RC4 encryption type, which is no longer allowed on the server, resulting in the KDC error.
In this case, the error can be resolved in one of two ways.
Steps to enable AES encryption for the SQL Reporting Services service account
Method 1 - Local Security Policy
Method 2 - Group Policy Object (GPO)
And that's about for now… Hopefully this helps you out, and thanks for reading!
References:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.