Configure Reporting Services to Use a Subject Alternative Name


Applies To: SQL Server 2016

This topic explains how to configure Reporting Services (SSRS) to use a subject alternative name (SAN) by modifying the rsreportserver.config file and using the Netsh.exe tool.

Applies to:  Reporting Services Native mode

The instructions apply to the Reporting Service URL as well as a Web Service URL.

To use a SAN, the SSL certificate must be registered on the server, signed, and have the private key. You cannot use a self-signed certificate

URLs in Reporting Services can be configured to use an SSL certificate. A certificate normally has just a subject name, which allows only one URL for an SSL (Secure Sockets Layer) session. The SAN is an additional field in the certificate that allows an SSL service to listen and be valid for many URLs, and to share the SSL port with other applications. The SAN looks something like the following:

For more information about SSL settings for Reporting Services, see Configure SSL Connections on a Native Mode Report Server.

Configure SSRS to use a subject alternative name for Web Service URL

  1. Start Reporting Services Configuration Manager.

    For more information, see Reporting Services Configuration Manager (Native Mode).

  2. On the Web Service URL page, select an SSL port and SSL Certificate.

    Reporting Services Configuration Manager

    The configuration manager registers the SSL certificate for the port.

  3. Open the rsreportserver.config file.

    For SSRS Native mode, the file is located by default in the following folder.

    \Program Files\Microsoft SQL Server\MSRS11.MSSQLSERVER\Reporting Services\ReportServer  
  4. Copy the URL section for the Report Server Web Service application.

    For example, the following is the original URL section.

         <AccountName>NT Authority\NetworkService</AccountName>  

    The following is the modified URL section.

         <AccountName>NT Authority\NetworkService</AccountName>  
         <AccountName>NT Authority\NetworkService</AccountName>  
  5. Save the rsreportserver.config file.

  6. Start a command prompt as an administrator, and run the Netsh.exe tool.

  7. Switch to the http context by typing the following.

  8. Show the existing urlacls by typing the following.

    Netsh http>show urlacl  

    An entry such as the following appears.

    Reserved URL            : https://  
        User: NT SERVICE\ReportServer  
            Listen: Yes  
            Delegate: No  
            SDDL: D:(A;;GX;;;S-1-5-80-1234567890-123456789-123456789-123456789-1234567890)  

    An urlacl is a DACL (Discretionary Access Control List) for a reserved URL.

  9. Create a new entry for the subject alternative name, with the same user and SDDL as the existing entry, by typing the following.

    netsh http>add urlacl  url=    
    user="NT Service\ReportServer" sddl=D:(A;;GX;;;S-1-5-80-1234567980-12346579-123456789-123456789-1234567890)  
  10. On the Report Server Status page of the Reporting Services Configuration Manager, Click Stop and then click Start to restart the report server.

RsReportServer.config Configuration File
Reporting Services Configuration Manager (Native Mode)
Modify a Reporting Services Configuration File (RSreportserver.config)
Configure Report Server URLs (SSRS Configuration Manager)

Community Additions