SSRS Service Account Change: People will have confusion regarding SSRS service account like, #1) what happens if we directly change the SSRS/PBIRS service account? #2) Can we reset the password for existing service account? In this article I we will see how to achieve this above 2 points?
Problem?
We were recently asked to change the service account OR reset the current password of service account for the SQL Server Reporting Services to a new account. We needed to use a new account because it would be specific to this instance only. The service account we used before was general for all production SQL Server instances which we wanted to do away with it. Click here to get more info.
Below error message occurs when you changed the service account and start the SSRS server. I have changed the service account password from DOMAIN level and after that when I start the SSRS server I am getting this below error message.
Sol: SSRS Service Account Change?
To change the Service Account or change password of service account for the Microsoft SQL Server Reporting Services (SSRS), these steps must be followed:
- Click Site Settings and Folder Settings on the Home Page of SSRS and ensure that the New Service Account is given the appropriate role. (Not applicable if you are just changing the password)
- Make sure that New Service Account has access to Data Sources. (Not applicable if you are just changing the password)
- On SQL Server level, the new Service Account must have RSExecRole in ReportServer and ReportServerTempDB databases. (Not applicable if you are just changing the password)
- Carry out a full backup of all databases as well as ReportServer and ReportServerTempDB database on SSRS SQL Server instance.
- Create a backup for the Encryption Key by following these steps:
Create Backup of Reporting Services Encryption Keys?
Step 1: Open Reporting Services Configuration Manager in your server.
Step 2: Click on Encryption Keys as seen below:
Step 3: On the right-hand side, click the Backup button which will open up a new window where you can specify location and name for your encryption key backup file. The file extension for this will be *.snk.
Step 4: Provide a password to the file containing the encryption key. Then, click OK.
Step 5: A backup is made for the Encryption Key as follows.
Step 6: Inside of Reporting Services Configuration Manager go to Service Account as shown below.
Step 7: Enter new Service Account and Password OR use the password if you have changed then click Apply button. When you hit Apply button, the system will automatically backup the Encryption Key change the Service Account and then Restore the Encryption Key.
Note: In my case I am using the same service account, but I have changed the password for my service account so I will use the same account but this time with updated password.
Step 9: Go to services.msc to cross check the updated service account and restart SQL Server Reporting Services (SSRS) service from there itself.
Step 10: Open SSRS Home Page, if Folders and Reports are displayed properly it means everything went well. When Folders are displayed properly on the SSRS Home page then it has successfully done.
Step 11: Go into Folders on Homepage and make sure there are Reports inside without asking Username & Password. If they are present, then everything went fine.
The system automatically stores and recovers the key used for encryption, but it may fail sometimes. In such instances, we will have to restore the backed-up keys manually which are shown below because this is why a backup was made at the beginning of this tip.
Manually restoring Reporting Services encryption keys
Step 1: If you need to restore encryption keys through Reporting Services Configuration Manager then go into Encryption Keys and hit Restore as seen in the screenshot below.
Step 2: It looks like there is a new window opening. Please, fill in the File Location of the Encryption Key together with the Password. The password has to be the one which was selected during its creation.
Step 3: After you have done with the previous step, restart the SQL Server Reporting Services service. If everything is done properly there should be no problems with any reports showing up.
Step 4: It happens sometimes that SSRS reports writes their data to some specific place. Before making any changes be sure that your new Service Account has necessary access rights for that particular file location.
Caution: Problems May Occurs?
- Might the encryption fail or get corrupted if you directly change the service account?
- Could be that the SSRS or PBIRS will stop working/even start sometimes.
- Don’t manually change the encrypted data from the encryption key because no matter what changes you make the SSRS/PBIRS will not accept that.
- Changing password of service account will not affects Kerberos setup.
- Sometimes changing the password for service account may not authenticate to SQL Server, so you have re-add the service account to SQL Server.
- Sometimes you will get this kind of error “The report server cannot decrypt the symmetric key that is used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content. (rsReportServerDisabled)”
- All the above 6 point is completely normal, and it is very rare. But you should make sure that you are not on old SSRS/PBIRS build, if you are in new version of SSRS 2019, 2022 and later then you can directly change the service account but please take backup for future proof and if something goes wrong!