Left with 0 client certificates to choose from when moving SSRS service to TLS 1.2

Question

Environment:

Reporting Services running on a SQL Server 2008 R2 SP3 installation on a Windows 2008 server with .Net 4.6.1 installed and .Net 3.5 enabled as feature. IIS, database and reporting service all in the local machine (custom login URL in a different machine but seems that this is unrelated).

Changes done:

Due to security reasons we are force to move to TLS 1.2 so we did with IISCrypto enabling just TLS 1.2

Outcome:

From this moment we get an error only when trying to access the Report Management site:

The underlying connection was closed: An unexpected error occurred on a receive

On the SSRS logs we can see the following exception:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

Enabling traces on the .Net Framework I found the following messages:

 System.Net Information: 0 : [4996] SecureChannel#40644060::.ctor(hostname=localurl,#clientCertificates=0)
 System.Net Information: 0 : [4996] Enumerating security packages:
 System.Net Information: 0 : [4996]     Negotiate
 System.Net Information: 0 : [4996]     Kerberos
 System.Net Information: 0 : [4996]     NTLM
 System.Net Information: 0 : [4996]     Schannel
 System.Net Information: 0 : [4996]     Microsoft Unified Security Protocol Provider
 System.Net Information: 0 : [4996]     WDigest
 System.Net Information: 0 : [4996]     DPA
 System.Net Information: 0 : [4996]     Digest
 System.Net Information: 0 : [4996]     MSN
 System.Net Information: 0 : [4996]     PWDSSP
 System.Net Information: 0 : [4996] SecureChannel#40644060 - Left with 0 client certificates to choose from.

Things already checked:

The certificate in use is still valid and it's signature chain is placed in the proper "Intermediate" and "Root" stores.

Running the Application Pool as an administrator does not help.

Using a custom signed certificate generated from IIS does not help.

Important: The issue only happens on the Reporting Services Management site, the reports work fine

Next Steps

Any ideas on what else to try? Is there a way to know why the security packages where not selected?

have you found a solution? I'm facing a similar problem – chester89 Nov 15 '18 at 08:44 — chester89, Nov 15 '18 at 08:44
No, the solution was to change to a newer version, sorry. – Ignacio Soler Garcia Nov 19 '18 at 15:16 — Ignacio Soler Garcia, Nov 19 '18 at 15:16
Newer version of .NET? You mean 4.7.x? – chester89 Nov 20 '18 at 06:16 — chester89, Nov 20 '18 at 06:16
No, a newer version of the SSRS server. – Ignacio Soler Garcia Nov 20 '18 at 16:48 — Ignacio Soler Garcia, Nov 20 '18 at 16:48

Left with 0 client certificates to choose from when moving SSRS service to TLS 1.2

0 Answers0