When running SCCM reports that depend on Role Based Access Control (RBAC), SQL Server Reporting Services (SSRS) will attempt to communicate with Active Directory via Kerberos authentication.
It fail to run the reports with below error.
As configured setting has effect of limiting the encryption types allowed for Kerberos authentication from the reporting point server to only AES128, AES256, and Future encryption types.
The service account used by the SQL Reporting Services service was not properly configured to support these algorithms. Instead, SSRS was attempting to authenticate using the RC4 encryption type, which is no longer allowed on the server, resulting in the KDC error.
1. Steps to enable AES encryption
Open Active Directory Users and Computers
Browse to the user account used by SQL Reporting Services on the affected server
Right-click the user account and select Properties
Click on the Account tab
Under Account options , check the box next to one or both of the following:
This account supports Kerberos AES 128 bit encryption
This account supports Kerberos AES 256 bit encryption
f. Click OK
2. Steps to configure the policy setting Network security
a. On the affected server, open an elevated command prompt
b. Type SECPOL and hit Enter
c. In the Local Security Policy management console, expand Local Policies and click on Security Options
d. Scroll down in the left-hand pane until you find the setting Network security: Configure encryption types allowed for Kerberos
e. Right-click this setting and select Properties
f. In the Local Security Settings tab, check the box next to RC4_HMAC_MD5 , AES128_HMAC_SHA1 , AES256_HMAC_SHA1 , and Future encryption types
g. Click OK
Try to reset the Service account/Domain account password to apply new algorithm policies