Kerberos Configuration Manager updated for Reporting Services

Back in may, we released the Kerberos Configuration Manager tool to help with diagnosing and correcting Kerberos related issues for SQL Server.  Today, I’m happy to announce that version 2 of this tool has been released and has been updated for Reporting Services.  A lot of work went into this tool to get us to this point and the team that worked on it was awesome! You can download it from the following link:

Microsoft® Kerberos Configuration Manager for SQL Server®

Here is a look at what versions of Reporting Services are supported with this release of the

SQL RS Version Native Mode SharePoint Integrated Mode
2005 No support in v.2 No support in v.2
2008 Supported Supported
2008 R2 Supported Supported
2012 Supported No support in v.2

The tool does not add a shortcut to the Start Menu, so you will need to go to the directory of which it is installed to.  By default, this is C:\Program Files\Microsoft\Kerberos Configuration Manager for SQL Server.  There are a couple of things here that are pretty neat.  First is that you can decide whether to include SQL Server and Reporting Services instances in the list.  This comes in handy if you have several of both on the same server and you just care about one or the other.  Great for Dev and Test environments!


We will also show you the Mode of the Report Server that we discovered.  Native or SharePoint.


Common Problems


If you see the “Unauthorized” message under status, this just means that you didn’t start the tool with Admin rights.  Be sure to launch the tool with Admin rights.  The tool will not prompt automatically.


Kerberos not enabled

If you see the “Kerberos not enabled” message under status, this means that the rsreportserver.config doesn’t not have either RSWindowsNegotiate or RSWindowsKerberos in the Authentication Types. 


If you do want to use Kerberos with Reporting Services, which I’m assuming you do if you got this far, you will need to modify the rsreportserver.config to get past this.


For more information on this, check out one of my previous blogs on setting up Kerberos with Reporting Services.  It covers this.


If you happen to encounter something that I didn’t highlight above, you may be able to find additional information.  Each time you run the tool, we will create a log file.  The default location for this is the following:  C:\Users\<user>\AppData\Roaming\Microsoft\KerberosConfigMgr.

The details of the log file will be flushed when you close the program.  So, if it is blank, just close the tool and the log should populate.  You may also find some details in the Event Log under the Source “Kerberos Configuration Manager”.  If we encounter an error, it should be logged in the Application Event Log as well as the tool’s log file.



There are a few limitations that you will run into.  I wanted to walk through those so you are aware.

SharePoint Integrated Mode with RS 2012

Unfortunately this does not cover SharePoint Integrated mode with RS 2012.  This is true regardless of whether it is SharePoint 2010 or SharePoint 2012.  The reason for this was that it was a completely different approach with regards to discovery.  We still want to get this in as it is important, but for now it is not. 

Reporting Services 2005

For 2005, we had to make the same call as with SharePoint Integrated with RS 2012.  RS 2005 is a different architecture and would have caused us extra work to get the discovery in.  As such, we opted to not include RS 2005 with this tool.  Unfortunately, I don’t believe this will make it into the tool.

Multiple Domains

Right now, the tool will only work in a single domain scenario.  So, if you have the service installed in Domain A, but want to use a Service Account from Domain B, we won’t be able to discover and correct the issue appropriately.  As long as the machine the instance is in and the Service Account are in the same domain, you should be good to go.  This is true for Reporting Services and the SQL Server discovery.


We will discover the Delegation settings for the service account itself, but that is the extent of the Delegation checks that this tool will make for Reporting Services.  To determine if delegation is indeed configured correctly, we would need to crack all of the Data Sources.  This means not just the shared data sources, but any embedded data source within the RDL files.  That part did not make the cut for v2, but it is something we would like to include down the road.



I hope that you find this tool useful!  I’ll also point you back to an older blog post I created regarding my Kerberos Checklist to help you understand the different areas to consider when tracking down Kerberos issues.  As you can probably gather from this point, there is more that we want to do with this tool, so we aren’t done yet!  Stay tuned for future updates!

Adam W. Saxton | Microsoft SQL Server Escalation Services

Comments (13)

  1. Mbourgon says:

    Let me reiterate again my sincere gratitude for this tool. We were having Kerberos issues that was causing double hop problems on one of our servers, but our systems team couldn't be convinced there was a problem. However after I was able to show them the "pretty tool" that said exactly where the problem was, they had it fixed 15 minutes later. Thanks again!

  2. Matt Jones says:

    Mbourgon, that is awesome!!  We need to make sure more folks know about this tool!

    Matt Jones

    SSRS Tiger Dev

  3. says:

    Thanks a lot! It fixed my issues regarding SSRS problem that consistently asking credential. I've been looking for this for a while!

    Hochan Son

  4. Sree says:

    It is not working properly when I try to connect to Remote Servers 🙁

    When I look into Log, it says below…

    2/12/2014 12:51:03 PM Info: Connect to WMI, \MyServerNamerootcimv2

    2/12/2014 12:51:04 PM Error: Access of system information failed System.UnauthorizedAccessException: Access is denied.

    I provided a Local admin account on that Server. Any ideas what am I missing here?

  5. Neale Thomas says:

    For reporting services, what is the cause and remediation of the status event: Unable to access the Reporting Services information.  Verify the integrity of Reporting Services.

    There is a second instance on this server, with the same service account, that is reporting a status of Good.  Have not been able to find any articles on this pecurlar event.

    BTW.   thank-you for developing this utility, it has simplified our kerberos troubleshooting significantly.

  6. David P says:

    Will there be a new version soon that supports SQL 2014 ?

  7. Tim says:

    Just came across this tool. Very nice!  It doesn't appear to let me connect to a stand alone Reporting Services instance though unless SQL is installed on that server as well.  Any chance of adding that option in the future or am I missing something?

  8. says:

    I agree with MBourgon: This tool is very very useful! Thanks a lot!

    It has worked fine on many servers..

    But, I have a trouble when running it on our FastTrack servers. I run it locally on one node. CLick to "Connect" menu, then nothing & Click to "Connect" button.. It takes one minute & then fail;.. & Log is empty…

    It would be very nice for me to use it on this cluster…

    I have following message in system log:

    Faulting application name: KerberosConfigMgr.exe, version:, time stamp: 0x53865da3

    Faulting module name: KERNELBASE.dll, version: 6.1.7601.18409, time stamp: 0x5315a05a

    Exception code: 0xe0434352

  9. Rakesh Mishra says:


    I am trying to fix Kerberos issues with my RS installation. After running this tool I am getting message " Unable to access Reporting service server information Verify the integrity of reporting Server."

    RS is working fine. I am able to access the URL by host name, FQN and IP address. All 3 is working well.

    Can you please help me in solving the issue?



  10. Rakesh Mishra says:

    Following is the error in the log:

    3/10/2015 3:28:48 AM Info: Successfully connected to SQL RS WMI rootMicrosoftSqlServerReportServerRS_MSSQLSERVER

    3/10/2015 3:28:48 AM Error: Failed to get information from SQL RS WMI, declaring this IP unsupported. Connection string: rootMicrosoftSqlServerReportServerRS_MSSQLSERVER System.Management.ManagementException: Invalid class

      at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)

      at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()

      at KerberosCM.WMISQLHelper.TryAddReportingServicesInfoToInstance(ServiceInstance instance, String connectionString, String instanceID, SystemInfoErrorType& errorCondition)

  11. Luxus Chris says:


    you wanted to share my finding for SSRS 2012 on Win 2012 R2. Named SSRS instance.
    When you have the problem that you configured SSRS by the book and set the RS config to RSWindowsKerberos you can get a blank page when opening the URL.
    The Kerberos Configuration Manager tool shows “missing” for the HTTP SPN for the domain account of SSRS. However, I registered the SPN HTTP/FQDNofSSRS:80 and HTTP/FQDNofSSRS:443
    The problem seems to be that SSRS does expect HTTP/FQDNofSSRS without any port.


  12. mike says:

    When I use the tool for Reporting Services the status shows up as
    “Unable to access the Reporting Services information. Verify the integrity of Reporting Services.”

    I think I have reporting services configured and all accounts are running under different AD accounts.
    Google has not been a good friend on this.

  13. kiran says:

    Is there a new version for this tool to test SharePoint Integrated Mode with RS 2012

Skip to main content