In most area of Configuration Manager and the larger internet, we often hear about using SSL/TLS. One area I rarely hear that talked about is with reporting. This strikes me as odd. If the information is sensitive between the endpoint and the Management Point (MP), why would the same information not be sensitive from the Reporting Point (RP) to the browser?
Luckily, it is easy to extend your PKI setup to cover SQL Server Reporting Services (SSRS) and PowerBI Server Reporting Services (PBIRS) with only a couple tweaks.
For enabling PKI, even if I am not going all in and moving to HTTPS MPs/DPs, I follow the example guide in the Configuration Manager Documentation.
Where I change from the example is when requesting the certificate for the server that hosts the RP. When requesting this cert it is necessary to define the Common Name (CN) as the hostname of the server and for the Subject Alternative Names (SAN) to define two DNS entries, one for just the hostname and one for the FQDN. The example document does not define a CN and only defines the FQDN as a SAN.
Requesting the certificate:
- Open MMC.exe and add the certificate snap in for local computer
- In the Personal certificate store, right click and choose All Tasks > Request New Certificate
3. Click Next until you get to the page to choose a template
4. Choose the template that you issued for ConfigMgr Web Servers then click the link below to enter additional information.
5. On the page that opens, enter the server’s hostname as the “Common Name” and again as a DNS Alternative Name. Then add the server’s FQDN as an additional DNS Alternative Name.
6. Click to the General tab and enter a Friendly Name so you can easily ID the certificate once issued. Click OK.
7. Back at the main wizard, click Enroll and you should get the certificate issued.
Setting IIS to use the new certificate:
Open the IIS Management Console
Click to the Default Web Site, then click Bindings
In the site bindings add/edit the https binding
Choose the certificate issued earlier, then click OK, then Close
Now repeat the same steps for the WSUS Administration Web Site
Setting SSRS/PBIRS to Native Mode:
Open the Report Server Configuration Manager and connect to SSRS/PBIRS, then click to the Web Service URL tab.
In the drop down for HTTPS certificate, chose the certificate issued earlier.
NOTE: If you forgot to enter the Common Name, this is where the issue will haunt you as the certificate will not be an option in the drop down.
Watch the settings get applied, you may see a certificate reservation error happen, then it will succeed on the retry.
When the process is complete, you will likely get a popup error, that can be ignored and dismissed.
Click to the Web Portal URL tab
Click the Advanced button and a new popup will open
Add two HTTPS identities, one for all IPv4 and one for All IPv6
Click Okay and the changes will apply. You will now see the additional URL listed.
You can now test the SSRS/PBIRS portal in HTTPS and it should load with no errors.