Reporting Services service doesn't start after the installation of MS12-070 security patch

If you are using Reporting Services and Integration Services and you noticed that the service couldn't start after the installation of the MS12-070 security patch (https://support.microsoft.com/kb/2716429) you can use the following 2 workarounds below.

(the issue already appeared in the past and was solved by https://support.microsoft.com/kb/936707/en-us)

 

Why is this happening?

When a .NET application startup the .NET Framework it tries to check if the Microsoft assemblies are right and have not been modified, this is done connecting to a server that has a revocation list in internet. When the framework tries to connect to the server to check if it has access to internet with an elevated timeout, this makes that any other .NET application that has less timeout setting fails (as SSIS or SSRS) with the error message you are getting.

The error message you are getting when you try to start SSRS:

"The request failed or the service did not respond in a timely fashion."

Means that the SSRS timeout is lower than the timeout of the connection to the revoke list server. Some recent windows updates have introduced this issue after you installed SP2 of SSRS 2008 R2. We are  aware of this problem and we have already provided several workarounds.

This issue affects to all applications that runs on .NET framework 2.0 and there are several workarounds for this problem:

 

1st workaround:  

Modify the registry to increase the default time-out value for the service control manager. To increase this value to 60 seconds, follow these steps:

       1. Click Start, click Run, type regedit,and then click OK.

       2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.

       3.  In the right pane, locate the ServicesPipeTimeout entry.

            Note If the ServicesPipeTimeout entry does not exist, you must créate it. To do this, follow these steps:

    1. On the Edit menu, point to New, and then click DWORD Value.
    2. Type ServicesPipeTimeout, and then press ENTER.
    3. Right-click ServicesPipeTimeout, and then click Modify.
    4. Click Decimal, type 60000, and then click OK.
      This value represents the time in milliseconds befor

            Restart the computer for the changes to take effect.

 Check that SSRS and SSIS services can be started now...

 

2nd workaround:

If the first action plan didn't work, try disabled the certificate checking in the ReportingServicesService.exe.config file:

  1. Edit the ReportingServicesService.exe.config file usually located in this folder: C:\Program Files\Microsoft SQL Server\<RS Instance>\Reporting Services\ReportServer\bin
  2. Add the "<generatePublisherEvidence enabled="false"/>" within the <Runtime> tag
  3. Patch the server with the KB.

If you want to distribute this workaround to many users you can créate a script in PowerShell

 

3rd workaround:

Another option would be disabling the global checking of the certificated in the machine following the steps below:

o   Start -> Control panel
o   Internet Options
o   Advanced
o   Uncheck "Check for publisher’s certificate revocation"

 

If the services are running under the Network Service account the change to the revocation in internet options is not working for them. In that case, you can perform the following changes for the SSRS service account:

Modify the following setting in the registry:

HKEY_USERS\<SID>\Software\Microsoft\Windows\CurrentVersion\WinTrust\TrustProviders\Software

Where the default value for State key is 0x00023c00

And you will need to change it to 0x00023e00

(More information in: https://support.microsoft.com/kb/2715304)

 

In order to get the Windows SID for this user and be able to find out the previous registry key, please follow the below instructions. 

  1. Download SPGETSID tool from https://technet.microsoft.com/en-us/sysinternals/bb897417.aspx
  2. Once it is installed and save to a local file, open a cmd window (with administrator privileges ) and navigate through the cmd to the folder where this spgetsid.exe is located.
  3. Then type the following command line:    spgetsid domain\user                       (where the domain\user is your SSRS service account) 
  4. Once get the SID please go to the previous registry key for this user and apply the change.

 

S-1-5-20 is the SID for Network Service, and for other SIDs: https://support.microsoft.com/kb/243330  

 

  • SID: S-1-5-18

    Name: Local System

    Description: A service account that is used by the operating system.

  • SID: S-1-5-19

    Name: NT Authority

    Description: Local Service

  • SID: S-1-5-20

    Name: NT Authority

    Description: Network Service

 

Note: Check workarronds in https://support.microsoft.com/kb/2745448 too

 

 

 

Maria Esteban

Reporting Services Support Engineer