SQL Server Reporting Services cannot decrypt configuration following a switchover




This knowledge base article provides details and workaround procedure for the following issue: Reporting Services (SSRS) fails to decrypt the configuration information following a Neverfail Engine switchover operation.



After a Neverfail Engine switchover, the Reporting Service fails to decrypt configuration information and fails with the following:

Error: The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content. Keyset does not exist (Exception from HRESULT: 0x80090016) 



The SSRS logon account RSA keys are not the same across the all servers in the cluster, but, in the same time the SSRS Symmetric key is replicated by SQL Server Plugin, so they don't match anymore. 



1) Assure that SSRS service logon account is the same on both servers. 

2) Add an inclusion file filter for the RSA key corresponding to the service logon account. Depending on the logon account type, this should be done as follow:

ReportServer / Virtual Service Account: 

  • C:\Users\ReportServer\AppData\Roaming\Microsoft\Crypto\RSA\**
  • C:\Users\ReportServer\AppData\Roaming\Microsoft\Protect\** 

Domain and local accounts:

  • C:\Users\<SERVICEACCOUNT>\AppData\Roaming\Microsoft\Crypto\RSA\** 

Local System:

  • C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\**

Network Service:

  • C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Crypto\RSA\1-5-20\**


Applies to

Neverfail for SQL Server Plugin up to and including v201.5.12

0 out of 0 found this helpful



Please sign in to leave a comment.