在原生模式報表伺服器上設定 SSL 連接Configure SSL Connections on a Native Mode Report Server

Reporting ServicesReporting Services 原生模式會使用 HTTP SSL (安全通訊端層) 服務來建立與報表伺服器的加密連接。Native mode uses the HTTP SSL (Secure Sockets Layer) service to establish encrypted connections to a report server. 如果您在報表伺服器電腦的本機憑證存放區內有安裝憑證 (.cer) 檔案,您可以將此憑證繫結到 Reporting ServicesReporting Services URL 保留項目,以便透過加密通道支援報表伺服器連接。If you have certificate (.cer) file installed in a local certificate store on the report server computer, you can bind the certificate to a Reporting ServicesReporting Services URL reservation to support report server connections through an encrypted channel.

提示

如果您正在使用 Reporting ServicesReporting Services SharePoint 模式,請參閱 SharePoint 文件集取得詳細資訊。If you are using Reporting ServicesReporting Services SharePoint mode, see SharePoint documentation for more information. 例如,如何在 SharePoint 2010 web 應用程式上啟用 SSL (https://blogs.msdn.com/b/sowmyancs/archive/2010/02/12/how-to-enable-ssl-on-a-sharepoint-web-application.aspx)For example How to enable SSL on a SharePoint 2010 web application (https://blogs.msdn.com/b/sowmyancs/archive/2010/02/12/how-to-enable-ssl-on-a-sharepoint-web-application.aspx).

由於 Internet Information Services (IIS) 也使用 HTTP SSL,所以如果您在同一部電腦上執行 IIS 和 Reporting ServicesReporting Services ,將必須負責解決重要的互通性問題。Because Internet Information Services (IIS) also uses HTTP SSL, there are significant interoperability issues that you must account for if you run IIS and Reporting ServicesReporting Services on the same computer. 請務必檢閱「與 IIS 的互通性問題」一節,以取得如何對付這些問題的指引。Be sure to review the Interoperability Issues with IIS section for guidance on how to address these issues.

伺服器憑證需求Server Certificate Requirements

電腦上必須已安裝伺服器憑證 (不支援用戶端憑證)。You must have a server certificate installed on the computer (client certificates are not supported). Reporting Services 不提供要求、產生、下載或安裝憑證的功能。Reporting Services does not provide functionality for requesting, generating, downloading, or installing a certificate. Windows Server 2003Windows Server 2003 會提供一個憑證嵌入式管理單元,可用它來從信任的憑證授權單位要求憑證。provides a Certificates snap-in that you can use to request a certificate from a trusted certificate authority.

如果是為了測試,您可以在本機產生憑證。For testing purposes, you can generate a certificate locally. 如果您使用 MakeCert 公用程式和範例命令當做範本,請務必將伺服器名稱指定為主機,並在執行此命令之前先移除所有分行符號。If you use the MakeCert utility and the sample command as a template, be sure to specify your server name as the host and remove all line breaks before running the command. 如果您在 DOS 視窗中執行此命令,可能需要增加視窗的緩衝區大小,以容納整個命令。If you run the command in a DOS window, you might need to increase the buffer size of the window to accommodate the entire command.

如果您在同一部電腦上一起執行 IIS 和 Reporting ServicesReporting Services,您可以使用 IIS Manager 主控台應用程式來取得電腦上所安裝的憑證。If you are running IIS and Reporting ServicesReporting Services together on the same computer, you can use the IIS Manager console application to get the certificate installed on your computer. IIS Manager 包括一些選項,可讓您建立及封裝憑證要求 (.crt) 檔案,以供信任的憑證授權單位進行後續處理。IIS Manager includes options for creating and packaging a certificate request (.crt) file for subsequent processing by a trusted certificate authority. 您所使用的憑證授權單位將會產生憑證 (.cer) 檔案,並將它送回給您。The certificate authority that you are using will generate a certificate (.cer) file and send it back to you. 您可以使用 IIS 管理主控台,將憑證檔案安裝在本機存放區。You can use IIS Management console to install the certificate file in the local store. 如需詳細資訊,請參閱 TechNet 上的 使用 SSL 將機密資料加密For more information, see Using SSL to Encrypt Confidential Data on Technet.

與 IIS 的互通性問題Interoperability Issues with IIS

Reporting ServicesReporting Services 相同的電腦上有存在 IIS,將會大幅影響與報表伺服器的 SSL 連接。The presence of IIS on the same computer as Reporting ServicesReporting Services will significantly affect SSL connections to a report server:

  • 如果已安裝 IIS,World Wide Web (W3SVC) 服務永遠都必須在執行中。If IIS is installed, the World Wide Web (W3SVC) service must always be running. HTTP SSL 服務如果偵測到 IIS 正在執行中,它將會與 IIS 相依。The HTTP SSL service will make a dependency on IIS if it detects that IIS is running. 這表示每當 IIS 和 Reporting ServicesReporting Services 安裝在同一部電腦上,而且您正在為 SSL 連接設定報表伺服器 URL 時,全球資訊網服務 (W3SVC) 都必須在執行中。This means that the World Wide Web service (W3SVC) must be running whenever IIS and Reporting ServicesReporting Services are installed on the same computer and you are configuring report server URLs for SSL connections.

  • 解除安裝 IIS 會暫時中斷對 SSL 繫結之報表伺服器 URL 的服務。Uninstalling IIS can temporarily disrupt service to an SSL-bound report server URL. 因此,強烈建議您在解除安裝 IIS 之後,要重新啟動電腦。For this reason, it is strongly recommended that you restart the computer after you uninstall IIS.

    必須要重新開機,才能清除快取中的所有 SSL 工作階段。Rebooting the computer is necessary to clear all SSL sessions from cache. 某些作業系統最多會快取 10 個小時的 SSL 工作階段,即使當 SSL 繫結已經從 HTTP.SYS 的 URL 保留項目中移除後, https:// URL 仍然繼續運作。Some operating systems cache SSL sessions up to 10 hours, causing an https:// URL to continue to work even after the SSL binding has been removed from the URL reservation in HTTP.SYS. 重新開機會關閉使用此通道的任何開啟連接。Rebooting the computer closes any open connections that use the channel.

將 SSL 繫結到 Reporting Services URL 保留項目Bind SSL to a Reporting Services URL Reservation

下列步驟不包含要求、產生、下載或安裝憑證的指示。The following steps do not include instructions for requesting, generating, downloading, or installing a certificate. 您必須已安裝憑證,而且此憑證可供使用。You must have a certificate installed and available to use. 您所指定的憑證屬性、憑證取自的憑證授權單位,以及您用於要求及安裝此憑證的工具和公用程式都是由您決定。The certificate properties that you specify, the certificate authority you obtain it from, and the tools and utilities you use to request and install the certificate are up to you.

您可以使用 Reporting ServicesReporting Services 組態工具來繫結此憑證。You can use the Reporting ServicesReporting Services Configuration tool to bind the certificate. 如果此憑證正確地安裝在本機電腦存放區, Reporting ServicesReporting Services 組態工具將會偵測到它,並將它顯示在 [Web 服務 URL][報表管理員 URL] 頁面的 [SSL 憑證] 清單上。If the certificate is installed correctly in the local computer store, the Reporting ServicesReporting Services Configuration tool will detect it and display it in the SSL Certificates list on the Web Service URL and Report Manager URL pages.

為 SSL 設定報表伺服器 URLTo configure a report server URL for SSL

  1. 啟動 Reporting Services 組態工具,並連接到報表伺服器。Start the Reporting Services Configuration tool and connect to the report server.

  2. 按一下 [Web 服務 URL]Click Web Service URL.

  3. 展開 SSL 憑證的清單。Expand the list of SSL Certificates. Reporting ServicesReporting Services 會偵測本機存放區內的伺服器驗證憑證。detects server authentication certificates in the local store. 如果您已安裝憑證,而且沒有在清單中看到它,您可能需要重新啟動服務。If you installed a certificate and you do not see it in the list, you might need to restart the service. 您可以在 Reporting Services 組態工具的 [報表伺服器狀態] 頁面中,使用 [停止][啟動] 按鈕來重新啟動服務。You can use the Stop and Start buttons on the Report Server Status page in the Reporting Services Configuration tool to restart the service.

  4. 選取憑證。Select the certificate.

  5. 按一下 [套用]Click Apply.

  6. 按一下此 URL 來確認它是否有效。Click the URL to verify it works.

測試此 URL 需要報表伺服器資料庫組態。Report server database configuration is a requirement for testing the URL. 如果您尚未建立報表伺服器資料庫,請在測試此 URL 之前先建立。If you have not yet created the report server database, do so before testing the URL.

報表管理員和報表伺服器 Web 服務的 URL 保留項目會各自獨自設定。URL reservations for Report Manager and the Report Server Web service are configured independently. 如果您也想要透過 SSL 加密的通道來設定報表管理員存取,請繼續以下步驟:If you want to also configure Report Manager access through an SSL-encrypted channel, continue with the following steps:

  1. 按一下 [報表管理員 URL]Click Report Manager URL.

  2. 按一下 [進階]Click Advanced.

  3. [報表管理員的多重 SSL 識別] 中,按一下 [加入]In Multiple SSL Identities for Report Manager, click Add.

  4. 選取此憑證,然後按一下 [確定] ,再按一下 [套用]Select the certificate, click OK, and then click Apply.

  5. 按一下此 URL 來確認它是否有效。Click the URL to verify it works.

憑證繫結的儲存方式How Certificate Bindings Are Stored

憑證繫結將會儲存在 HTTP.SYS 中。Certificate bindings will be stored in HTTP.SYS. 您所定義之繫結的表示法也會儲存在 RSReportServer.config 檔案的 URLReservations 區段中。A representation of the bindings you defined will also be stored in the URLReservations section of the RSReportServer.config file. 組態檔中的設定只是在其他地方指定之實際值的一種表示法。The settings in the configuration file are only a representation of actual values that are specified elsewhere. 請勿直接修改組態檔中的值。Do not modify the values in the configuration file directly. 只有當您使用 Reporting ServicesReporting Services 組態工具或報表伺服器 Windows Management Instrumentation (WMI) 提供者來繫結憑證之後,組態設定才會出現在檔案中。The configuration settings will appear in the file only after you use the Reporting ServicesReporting Services Configuration tool or the Report Server Windows Management Instrumentation (WMI) provider to bind a certificate.

注意

如果在 Reporting ServicesReporting Services 中設定 SSL 憑證繫結之後,需要從電腦移除該憑證,請務必先從 Reporting ServicesReporting Services 移除繫結,然後再移除電腦中的憑證。If you configure a binding with an SSL certificate in Reporting ServicesReporting Services and you later want to remove the certificate from the computer, make sure to remove the binding from Reporting ServicesReporting Services before you remove the certificate from the computer. 否則,您將無法使用 Reporting ServicesReporting Services 組態工具或 WMI 來移除繫結,而且會收到「無效的參數」錯誤。Otherwise, you will be unable to remove the binding by using the Reporting ServicesReporting Services Configuration tool or WMI and you will receive an "Invalid parameter" error. 如果您已經從電腦移除憑證,就可以使用 Httpcfg.exe 工具從 HTTP.SYS 移除繫結。If you have already removed the certificate from the computer, you can use the Httpcfg.exe tool to remove the binding from HTTP.SYS. 如需有關 Httpcfg.exe 的詳細資訊,請參閱 Windows 產品文件集。For more information about Httpcfg.exe, see the Windows product documentation.

SSL 繫結是 Microsoft Windows 中的共用資源。SSL bindings are a shared resource in Microsoft Windows. Reporting ServicesReporting Services 組態管理員或其他工具 (像是 IIS 管理員) 所做的變更,可能會影響同一部電腦上的其他應用程式。Changes made by Reporting ServicesReporting Services Configuration Manager or other tools like IIS Manager can impact other applications on the same computer. 最佳做法是使用相同的工具編輯用來建立繫結的繫結。It is a best practice to use the same tool to edit bindings that you used to create the bindings. 例如,如果您使用組態管理員建立 SSL 繫結,則建議您使用組態管理員管理繫結的生命週期。For example if you created SSL bindings using Configuration Manager, then it is recommended you use Configuration Manager to manage the life-cycle of the bindings. 如果您使用 IIS 管理員建立繫結,則建議您使用 IIS 管理員管理繫結的生命週期。If you use IIS manager to create bindings, then it is recommended you use IIS manager to manage the life-cycle of the bindings. 如果在電腦上安裝 IIS 之後才安裝 Reporting ServicesReporting Services ,則最好在設定 Reporting ServicesReporting Services之前先檢閱 IIS 中的 SSL 組態。If IIS is installed on the computer before Reporting ServicesReporting Services is installed, it is a good practice to review the SSL configuration in IIS before configuring Reporting ServicesReporting Services.

如果您使用 Reporting Services 組態管理員移除 Reporting ServicesReporting Services 的 SSL 繫結,SSL 可能無法再於執行 Internet Information Services (IIS) 的伺服器或另一部 HTTP.SYS 伺服器的網站上運作。If you remove SSL bindings for Reporting ServicesReporting Services using the Reporting Services Configuration Manager, SSL may no longer work for Web sites on a server that is running Internet Information Services (IIS) or on another HTTP.SYS server. Reporting ServicesReporting Services 組態管理員會移除下列登錄機碼。Configuration Manager removes the following registry key. 移除此登錄機碼時,IIS 的 SSL 繫結也會移除。When this registry key is removed, the SSL binding for IIS is also removed. 若沒有此繫結,就不會對 HTTPS 通訊協定提供 SSL。Without this binding, SSL is not provided for the HTTPS protocol. 若要診斷此問題,請使用 IIS 管理員或 HTTPCFG.exe 命令列公用程式。若要解決此問題,請使用 IIS 管理員還原網站的 SSL 繫結。若要避免未來發生此問題,請使用 IIS 管理員移除 SSL 繫結,然後使用 IIS 管理員還原所需網站的繫結。To diagnose this issue, use IIS Manager or the HTTPCFG.exe command line utility.To resolve the issue, restore the SSL binding for your web sites using IIS Manager.To prevent this issue in the future, use IIS manger to remove the SSL bindings and then use IIS Manager to restore the binding for the desired Web sites. 如需詳細資訊,請參閱知識庫文章:移除 SSL 繫結之後 SSL 便不再有用 (https://support.microsoft.com/kb/956209/n) (英文)。For more information, see the knowledge base article SSL no longer works after you remove an SSL binding (https://support.microsoft.com/kb/956209/n).

另請參閱See Also

使用報表伺服器驗證 Authentication with the Report Server
設定和管理報表伺服器 (SSRS 原生模式) Configure and Administer a Report Server (SSRS Native Mode)
RSReportServer 組態檔 RSReportServer Configuration File
Reporting Services 組態管理員(del) Reporting Services Configuration Manager (del)
設定報表伺服器 URL (SSRS 組態管理員)Configure Report Server URLs (SSRS Configuration Manager)