Cerberus24 Posted Tuesday at 11:02 PM Report post Posted Tuesday at 11:02 PM Hi Anyweb, I’ve started noticing an issue with our SSRS reporting portal. When attempting to run certain reports, I receive the following error: “The DefaultValue expression for the report parameter 'UserTokenSIDs' contains an error: A specified logon session does not exist. It may already have been terminated. (rsRuntimeErrorInExpression)” At the same time, I’m seeing the following entries in the sccmreporting.log on our SQL server (which also runs SSRS): 08/05/2025 17:11 EnableRbacReporting key exists. Value = 1 08/05/2025 17:11 A specified logon session does not exist. It may already have been terminated. The timestamps in the logs appear to align with the error, and based on similar reports I’ve read, these messages seem to be related. Some background on the setup: SQL Server and SSRS are running under a domain account (not a domain admin). The service account is a member of the Windows Authorization Access Group. The service account has read access to the Users container/OU in Active Directory. SSRS authentication is configured to use Windows Negotiate. The service account has SPNs correctly configured. The account is enabled for Kerberos AES encryption (128-bit and 256-bit) in Active Directory. The service account is configured for “Trust this user for delegation to any service (Kerberos only)” in AD. The SSRS shared data source is configured to use the service account credentials. All custom reports and default SCCM reports use the same shared data source. As a workaround, I disabled RBAC by setting the EnableRbacReporting registry key to 0 on the SSRS server. This resolved the issue and allowed the reports to run properly, effectively forcing SSRS to bypass RBAC. That makes me think the problem may be related to Kerberos authentication or token delegation in some way, but I'm unsure how to proceed further with troubleshooting it. Let me know if you've seen this before or have any guidance on what to look into next. Quote Share this post Link to post Share on other sites More sharing options...
Cerberus24 Posted 8 hours ago Report post Posted 8 hours ago Now, given that I am using a password for the shared data source. It should not be trying to delegate. At this point, I am not completely sure how to attack this issue. Any ideas would be greatly appreciated. Quote Share this post Link to post Share on other sites More sharing options...
Cerberus24 Posted 5 hours ago Report post Posted 5 hours ago Issue Resolved: SSRS Kerberos Authentication Failure Due to Protected Users Group I successfully resolved the above issue by removing the SSRS service account from the Protected Users security group. During the investigation, I uncovered several critical configuration requirements necessary for enabling Kerberos authentication with a domain-based service account in SSRS. Key Findings and Configuration Requirements: Windows Authorization Access Group The service account must be a member of the Windows Authorization Access Group to read token information (e.g., user attributes) required for Kerberos delegation. Read Access to Active Directory Objects The service account must have read permissions to the Active Directory users, OUs, and computers it attempts to authorize through SSRS. Account is Sensitive and Cannot Be Delegated This property must be disabled for the service account in Active Directory. Delegation Settings (Kerberos Only) The service account must be configured in Active Directory for "Kerberos only" delegation to specific services. Delegation should be strictly scoped to only the required services (If possible). Service Principal Name (SPN) Registration Proper SPNs must be registered for the SSRS service (e.g., HTTP/reportserver.domain.com, MSSQLSvc/reportserver.domain.com, MSSQLSvc/reportserver.domain.com:1433) under the service account. SSRS Configuration Settings SSRS was configured to use Kerberos only by setting the authentication mode appropriately in RSReportServer.config. ExtendedProtectionLevel was also enabled. This is optional but strongly recommended for environments with strict security requirements. References and Resources: Microsoft Docs – Reports Not Run as Expected Recast Software – Windows Authorization Access Group, SSRS, and SCCM Blake Drumm – How to Change Reporting to Use Kerberos Instead of NTLM Quote Share this post Link to post Share on other sites More sharing options...
