March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early bird discount ends December 31.
Register NowBe one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now
On one of our PBIRS servers, the SSL certificate expired. We installed a new certificate, switched the bindings for Web Portal & Web Service to point to the new certificate and removed the old one, but now we are encountering problems when accessing any report via the portal.
This is the error message:
In our log file we have this message, corresponding to when someone clicks a report:
2023-07-12 14:51:36.7074|ERROR|12|OData exception occurred: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest, Boolean renegotiation)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.ConnectStream.WriteHeaders(Boolean async)
--- End of inner exception stack trace ---
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.ReportingServices.Portal.ODataWebApi.Utils.PbixReportHelper.ShouldReShred(PowerBIReport entity, Uri basePortalUrl, ILogger logger, IPrincipal userPrincipal, String reportServerHostName)
at Microsoft.ReportingServices.Portal.ODataWebApi.Common.CatalogItemControllerHelper`1.GetItem(String key)
at Microsoft.ReportingServices.Portal.ODataWebApi.Common.CatalogItemControllerHelper`1.GetAllowedActions(String Id)
at Microsoft.ReportingServices.Portal.ODataWebApi.V2.Controllers.PowerBIReportsController.GetAllowedActions(String Id)
at lambda_method(Closure , Object , Object[] )
at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ActionExecutor.<>c__DisplayClass6_2.<GetExecutor>b__2(Object instance, Object[] methodParameters)
at System.Web.Http.Controllers.ReflectedHttpActionDescriptor.ExecuteAsync(HttpControllerContext controllerContext, IDictionary`2 arguments, CancellationToken cancellationToken)
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Controllers.ApiControllerActionInvoker.<InvokeActionAsyncCore>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Controllers.ActionFilterResult.<ExecuteAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Controllers.ExceptionFilterResult.<ExecuteAsync>d__6.MoveNext().| RequestID = s_34e542e5-abf2-4042-984b-76dedbf4432c
We were running the Jan 2023 version of PBIRS, and tried upgrading to May 2023 to resolve, but the problem remains.
Any suggestions for fixing this are appreciated.
Try to remove the following registry if you have problems during startup key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443
Then you can proceed with certificate binding.
(BTW my latest posts seems to be deleted, so I try his one with a different wording)
My steps are a little different:
To repair a damaged installation this should help:
If you remove TLS bindings for Reporting Services using the Report Server Configuration Manager, TLS may no longer work for Web sites on a server that is running Internet Information Services (IIS) or on another HTTP.SYS server. Reporting Services Configuration Manager removes the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443 When this registry key is removed, the TLS binding for IIS is also removed.
The error message indicates that there's an issue with the SSL/TLS certificate validation when establishing the connection to the PBIRS server. This can happen if the new SSL certificate is not trusted or if there are certificate chain issues.
Here are some steps you can take to troubleshoot and resolve the issue:
Verify SSL Certificate Installation: Double-check that the new SSL certificate is installed correctly on the PBIRS server. Ensure that the certificate is valid, not expired, and matches the server's hostname.
Check Certificate Chain: Make sure that the SSL certificate chain is configured correctly. The certificate chain should include all necessary intermediate and root certificates to establish trust. You can use tools like OpenSSL to inspect the certificate chain.
Ensure Proper Binding: Verify that the new SSL certificate is properly bound to the PBIRS website in IIS. Check the bindings for both the Web Portal and Web Service endpoints to ensure they are using the correct SSL certificate.
Update Trusted Root Certificates: Ensure that the client machine accessing the PBIRS server has the updated trusted root certificates. Sometimes, outdated root certificates can cause SSL/TLS validation errors. You may need to update the root certificates on the client machine.
Check Firewall and Proxy Settings: Make sure that there are no firewall or proxy settings blocking the SSL/TLS connection between the client and the PBIRS server. Ensure that the necessary ports (e.g., 443 for HTTPS) are open and accessible.
Review TLS Configuration: Verify the TLS configuration on the PBIRS server and client machines. Ensure that both are configured to use a compatible version of TLS (e.g., TLS 1.2) and that any deprecated versions (e.g., SSL 3.0) are disabled.
Enable Detailed Error Logging: Increase the logging level for PBIRS to capture more detailed error messages. This can help identify the specific cause of the SSL/TLS validation error.
Consult IT Security: If you're still unable to resolve the issue, consider consulting your organization's IT security team or a qualified SSL/TLS certificate expert for further assistance. They may be able to provide additional insights or guidance on resolving certificate-related issues.
Did I answer your question? Mark my post as a solution! Appreciate your Kudos !!
Hi, I have verified the SSL certificate, certificate chain, and the binding. The issue that I am running into is only occurring with Power BI reports. I am able to open SSRS reports/etc without any issues. It's also only occurring when viewing the site using HTTPS. If I use HTTP, I am able to open Power BI reports with no issues. I tested accessing both the /Reports and /ReportServer URLs and I can see that they both use the new SSL certificate. It looks like the service that PBIRS uses to display the Power BI reports is still holding on to the old (expired) certificate for some reason.
have you restarted that service/server ?
Yes, I did restart both the service and server multiple times. I even uninstalled, rebooted the server, re-installed and still ran into the same issue. I have since managed to resolve the issue, although I'm not sure what the fix exactly was. I was trying a few things and I added a host header on the HTTP binding. I'm not sure why exactly that would have changed anything, but since I did that, I no longer get the error that I was getting before (The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.)
Did you ever resolve this issue? We are seeing the same behavior after our SSL certificate expired and we renewed/replaced it.
Yes, I resolved the issue by uninstalling PBIRS and then reinstalling it.
You can raise an issue at https://community.fabric.microsoft.com/t5/Issues/idb-p/Issues . If you have a Pro license you can consider raising a Pro ticket at https://admin.powerplatform.microsoft.com/newsupportticket/powerbi
March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!
Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.
Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.
User | Count |
---|---|
2 | |
2 | |
2 | |
1 | |
1 |
User | Count |
---|---|
5 | |
4 | |
3 | |
3 | |
3 |