After installing my SCCM 2012 R2 Primary Site, I attempted to test out the reporting feature and kept running into the following error when trying to run any of the built-in reports:
The DefaultValue expression for the report parameter ‘UserTokenSIDs’ contains an error: a specified login session does not exist. It may already have been terminated.
I did some research and eventually tied it back to my SQL Server Reporting Services (SSRS) configuration.
I have SSRS installed on my primary site server with the reporting database sitting on a remote system running SQL Server 2012, and when I initially set up SSRS I had it using the Local System built-in account as the service account.
After going back and reviewing the documentation and reading over various blog posts, I realized using Local System as the service account wasn’t going to work and I needed to specify a domain resource account to use with the proper permissions set.
So I created a new resource account specifically for SCCM and SSRS, named SMSRS, and made sure to add it to the local SMS Admins group on the site server and grant it sysadmin and remote access permissions to the reporting databases on my SQL server. I then reconfigured the SSRS Service Account and Current Report Server Database Credential settings to use this new SMSRS account.
After restarting the service, I was able to run reports in SCCM without any further trouble.
A few quick additional notes:
- Before changing the service account for SSRS, be sure to back up the encryption key for the original account so you don’t lose the ability to talk to the existing reporting database.
- After changing the service account, perform a restore of the backed-up encryption key.
Instructions for backing up and restoring SSRS encryption keys for SQL Server 2012 are here:
- The service account used for SSRS must be a member of the domain local security group Windows Authorization Access Group and have Allow Read tokenGroupsGlobalAndUniversal permissions in Active Directory.