Report Server Load balanced issue with one server while accessing https:

  • PJ_SQL

    SSCertifiable

    Points: 6618

    We have 2 servers which are load balanced, when reporting service is stopped on server1, https  URL is still accessible.

    But, when service on server 2 is stopped and try to access the URL ,we are getting the error message" cannot connect securely on this page, this might be because the sites uses outdated TLS security settings".

    "netsh http show sslcert"shows 1 certificate on server1 and 2 certificate on server2.

    Thanks in advance.

     

     

     

  • Jeff Moden

    SSC Guru

    Points: 997364

    I have to ask, why do you think it's a problem to generate the error when the service is stopped?

    Anyway, the one server that produces the error may have TLS 1.0 or 1.1 while the one that does not will likely have TLS 1.2 installed.  Check the TLS installation.  They should both be at 1.2 and 1.0/1.1 should be disabled or, better yet, uninstalled.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.
    "Change is inevitable... change for the better is not".
    "Dear Lord... I'm a DBA so please give me patience because, if you give me strength, I'm going to need bail money too!"

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • PJ_SQL

    SSCertifiable

    Points: 6618

    Because it is load balancer the URL should be accessible when either of the service\ sever is online.

    Both servers have TLS 1.2 only enabled

  • Jeff Moden

    SSC Guru

    Points: 997364

    Ah... I thought you were just talking about the individual servers.

    If both servers are at TLs 1.2, then I don't have have another idea (well, unless 1.0/1.1 is still "available" on the servers despite being at 1.2).  Hopefully, someone more well versed on the subject will come along to help.

     

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.
    "Change is inevitable... change for the better is not".
    "Dear Lord... I'm a DBA so please give me patience because, if you give me strength, I'm going to need bail money too!"

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Jeffrey Williams

    SSC Guru

    Points: 88712

    Are you sure the load balancing is actually routing to both servers?

    How are you load balancing - is it through Netscaler, F5 or something else and are both servers up and available in the load balancer?

    Check the certificates on each server - do they have the same FQDN entry?  Do they have any SAN entries and are those valid - and are they being referenced appropriately when you access the system?  Are they still valid - not expired?

    Is the load balancer setup with SSL bypass?  Or is it configured as SSL->SSL which requires the certificate to be installed on the load balancer in addition to being installed on the servers?

    Are both servers configured with the same URL and do both have the same SSL certificate assigned?

    Can you route directly to each server - bypassing the load balancer without any issues?

     

    Jeffrey Williams
    Problems are opportunities brilliantly disguised as insurmountable obstacles.

    How to post questions to get better answers faster
    Managing Transaction Logs

  • PJ_SQL

    SSCertifiable

    Points: 6618

    Load Balancer is done through F5 and it is working as I am able to get the http:\\ URL when either of the reporting services are stopped.

    Only when I try to access the secured site https:\\ I get the error when service on server2 is stopped.

    I ran this command  "netsh http show sslcert"shows 1 certificate on server1 and 2 certificate on server2.

    Could this be the issue?

     

     

  • david.edwards 76768

    Ten Centuries

    Points: 1105

    Disclaimer: I am not a networking/security person and have about 2 minutes free to throw this in: We had a slightly similar problem with the web front end to a DMS, Kemp support said it was due to the Layer7 persistence method used.

    this article /might/ help you (Section 4.4)

    https://support.kemptechnologies.com/hc/en-us/articles/204373265-Kemp-LoadMaster#MadCap_TOC_11_1

    Update: now I have a couple more minutes. In our case it was due to token persistence, once the initial connection was made to one server it was all good when the user was sent back to the same server, if they were sent to the other, it was not allowed. The way I rad your post, suggested that it /might/ be things are not as balanced as you think, and in general you have good persistence, regardless of method used (and/or the balancer is directing all traffic to just the one server - can you check stats in LB to be sure?)

    Anyway, I know the LB is a different make, but I guess the same concepts apply with regard to persistence and HTTPS.

     

    "Knowledge is of two kinds. We know a subject ourselves, or we know where we can find information upon it. When we enquire into any subject, the first thing we have to do is to know what books have treated of it. This leads us to look at catalogues, and at the backs of books in libraries."
    — Samuel Johnson

  • PJ_SQL

    SSCertifiable

    Points: 6618

    Http load balancer is working , but I am getting the error when I try to access the secured site https://, do you still think it could be something that needs to be checked on the load balancer side?

  • Jeffrey Williams

    SSC Guru

    Points: 88712

    PJ_SQL wrote:

    Http load balancer is working , but I am getting the error when I try to access the secured site https://, do you still think it could be something that needs to be checked on the load balancer side?

    It is a possibility - especially since it seems you are routing both HTTP and HTTPS.  With that said - verify the configuration of each SSRS server to make sure both have been setup to use the same certificate.

    You should also validate the certificates on each server - not just that they are loaded.  An SSL certificate will have a name - and could also have SAN's (subject alternative names).  The name or SAN must be a FQDN that matches the URL defined in the SSRS configuration manager for the site name.

    You can define multiple URLs for the web portal and web service URL - and bind a different certificate to each URL or a single certificate with each 'address' included as a SAN to multiple URL's.

    Since you only have 1 certificate on server1 - it is possible that the missing certificate is related to the problem.

     

    Jeffrey Williams
    Problems are opportunities brilliantly disguised as insurmountable obstacles.

    How to post questions to get better answers faster
    Managing Transaction Logs

  • PJ_SQL

    SSCertifiable

    Points: 6618

    Copied the same certificate to W1 as well, now both servers show same 2 certificates on both servers.

     

  • Jeffrey Williams

    SSC Guru

    Points: 88712

    Just having the certificate on the server doesn't do anything - the certificate needs to be bound to an address.  Since SSRS uses its own internal web server - you need to configure the addresses in the SSRS configuration manager and bind (assign) one of the certificates to the specified address.

    Jeffrey Williams
    Problems are opportunities brilliantly disguised as insurmountable obstacles.

    How to post questions to get better answers faster
    Managing Transaction Logs

  • PJ_SQL

    SSCertifiable

    Points: 6618

    In the drop down in the certificate we have selected the available certificate in the configuration manager

  • Jeffrey Williams

    SSC Guru

    Points: 88712

    PJ_SQL wrote:

    In the drop down in the certificate we have selected the available certificate in the configuration manager

    But is that the correct certificate?  Unless you open the certificate and verify the name (and SAN entries if they exist) you cannot be sure that certificate is the correct certificate for that URL and site.

    Jeffrey Williams
    Problems are opportunities brilliantly disguised as insurmountable obstacles.

    How to post questions to get better answers faster
    Managing Transaction Logs

  • PJ_SQL

    SSCertifiable

    Points: 6618

    Executed this command on command prompt and it looks the same:

    netsh sslcert show

    Is there any other way to verify both server have the same certificate?

    Thanks.

  • Jeffrey Williams

    SSC Guru

    Points: 88712

    First - you need to validate that each certificate is the same.  To do that - open the certificate and view the details.  In the details you need to look at the name and subject alternative names to see all the names associated with the certificate.

    Then - to confirm the bindings *** use SSRS configuration manager to identify each URL configured for the Web Service URL and the Web Portal URL ***

    Once you have verified that the correct URL's are setup and bound to the correct certificate, you can test each URL and verify it works.  However, to verify that your load balancer address actually works on that server you need to add an entry to the hosts file that redirects the local server IP address to the load balancer name.  You want to do this anyways as that will make sure any internal calls to the load balancer address stay local to that server.

    Once you have verified that each server works from the server - then you can test from your workstation.  On your workstation, add an entry to the hosts file for the load balancer name - using server1's IP address.  Test accessing https://{load balancer name}/Reports, then modify the hosts entry using server2's IP address.

    Once those are verified and working - remove the entry from the hosts file on your workstation and test through the load balancer.

     

    Jeffrey Williams
    Problems are opportunities brilliantly disguised as insurmountable obstacles.

    How to post questions to get better answers faster
    Managing Transaction Logs

Viewing 15 posts - 1 through 15 (of 16 total)

You must be logged in to reply to this topic. Login to reply