When running SCCM reports that depend on Role Based Access Control (RBAC), SQL Server Reporting Services (SSRS) will attempt to communicate with Active Directory via Kerberos authentication.

It fail to run the reports with below error.

As configured setting has effect of limiting the encryption types allowed for Kerberos authentication from the reporting point server to only AES128, AES256, and Future encryption types.

The service account used by the SQL Reporting Services service was not properly configured to support these algorithms. Instead, SSRS was attempting to authenticate using the RC4 encryption type, which is no longer allowed on the server, resulting in the KDC error.

1. Steps to enable AES encryption

1. Open Active Directory Users and Computers

2. Browse to the user account used by SQL Reporting Services on the affected server

3. Right-click the user account and select Properties

4. Click on the Account tab

5. Under Account options , check the box next to one or both of the following:

   1. This account supports Kerberos AES 128 bit encryption

   2. This account supports Kerberos AES 256 bit encryption

f. Click OK

2. Steps to configure the policy setting Network security

a. On the affected server, open an elevated command prompt

b. Type SECPOL and hit Enter

c. In the Local Security Policy management console, expand Local Policies and click on Security Options

d. Scroll down in the left-hand pane until you find the setting Network security: Configure encryption types allowed for Kerberos

e. Right-click this setting and select Properties

f. In the Local Security Settings tab, check the box next to RC4_HMAC_MD5 , AES128_HMAC_SHA1 , AES256_HMAC_SHA1 , and Future encryption types

g. Click OK

Try to reset the Service account/Domain account password to apply new algorithm policies