When attempting to back up the key, within Reporting Services Configuration Manager, it fails and provides a less than helpful error message.
As part of an upgrade (from SQL Server 2012 to SQL Server 2017) I discovered that the installation of SQL Server 2017 will remove SQL Server Reporting Services (SSRS). SSRS is now a separate installation, much like SQL Server Management Studio (SSMS).
The SQL 2017 upgrade process advises you to backup your current SSRS encryption key, which can then be used when you install the new SSRS software and will recover the existing SSRS reports and setting.
However, in my case this produced an error message. The solution was quite simple, but with so many things in the world of IT – it is only simple once you find out what it is.
Reporting Services Configuration Manager
First of all – load the ‘Reporting Service Configuration Manager’ and select the ‘Encryption Keys’ option from the menu:
Figure 1: SSRS Configuration Manager
Pressing the ‘Backup’ button will produce a dialog screen that requires a filename and location, as well as a password to use, in order to secure this file. This password is not the password that the certificate might have been created with; it is a new password that is just used to secure this backup file.
Figure 2: Specifying the filename and associated password
Pressing the ‘OK’ button didn’t produce an immediate, helpful error message, but at the bottom of the screen a red cross and the message ‘Creating Encryption Key Backup’ was shown.
Clicking on the link ‘Tell me more about the problem and how to resolve it’, certainly tells you more about the issue, but gives no details on how to resolve it
Figure 3: Error Message
The full error text is:
“Microsoft.ReportingServices.WmiProvider.WMIProviderException: Exception from HRESULT: 0x800708C5
at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.ThrowOnError(ManagementBaseObject mo)
at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.BackupEncryptionKey(Byte& encryptedBytes, SecureString password)
at ReportServicesConfigUI.WMIProvider.RSReportServerAdmin.BackupEncryptionKey(Byte& encryptedBytes, SecureString password)”.
Although not the most helpful message, it does make several references to ‘password’ – so there is something about the password that it doesn’t like.
The exception code of ‘0x800708C5’ is a fairly general code that doesn’t really help.
Several articles pointed to an issue with the supplied password. Effectively the password does not match the password requirements of the Windows environment. However, I tried this method on out live servers, with the same password, and it worked perfectly well. So I assumed that the password requirements would be the same (or stronger) for the live environment than they would be for the development environment that I was currently playing with.
To quote one of the favourite movies of my wife – big mistake, huge mistake.
One article suggested switching off the password validation requirements for the server, long enough to work around this issue. So, before I made this request from our support people, I thought I had better look at the password policy, so it at least looked like I knew what I was talking about.
Finding the Windows Password Policy
Even if you don’t have the required permissions to change the password policy, you might well be able to see what they are.
From the ‘Run’ command – type either gpedit.msc or secpol.msc and press enter, which will launch the Group Policy Editor.
Once that loads, go to ‘Security Settings’ and then ‘Account Policies’ and then ‘Password Policy’. This screen shows what are the password requirements are for this Windows installation.
From this screen you can see the ‘Password must meet complexity requirements’ option is enabled. The interesting information for my issue, is that the ‘Minimum password length’ is 12 characters, whereas in my live environment it is 8 characters. So, my 8 character password worked fine in live but failed here.
Once I changed my password to 12 characters (including the other usual complexity requirements – upper/lower case/numeric/special character) it worked perfectly fine.