Key not valid for use in specified state. (Exception from HRESULT: 0x8009000B) (rsRPCError) Get Online Help
The problem could be a combination of the following:
- Encrypted data are no longer accessible
- Reporting Services Service Account crypto key is no longer valid
The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database
Reporting Services Error The report server cannot decrypt the symmetric key used to access sensitive or encrypted data in a report server database. You must either restore a backup key or delete all encrypted content. Check the documentation for more information. (rsReportServerDisabled) (rsRPCError) Bad Data. (Exception from HRESULT: 0x80090005)
What does this mean?
With the crypto (privatekey) gone, we can no longer access encrypted data.
We have two choices, restore the key by providing our backup file and the password we used while storing it.
Or remove all encrypted entities.
List encryption keys
RSKeyMgmt.exe -i [instance] -l
set "_instance=v2005MIRROR" "C:\Program Files (x86)\Microsoft SQL Server\90\Tools\binn\RSKeyMgmt.exe" -i %_instance% -l
Removing encryption keys
RSKeyMgmt.exe -i [instance] -d
@echo off set "_instance=v2005MIRROR" "C:\Program Files (x86)\Microsoft SQL Server\90\Tools\binn\RSKeyMgmt.exe" -i %_instance% -d
Are Encryption keys actually the problem
Do Encryption Keys exist
- If encryption keys do not exists or can not be accessed, then:
- The Backup/Restore/Change buttons are disabled
- But, the delete can still be
- If encryption keys exist and they are usable, then all ( Backup/Restore/Change/Delete ) buttons are enabled
Review Encryption Keys in database
SELECT [MachineName] ,[InstallationID] ,[InstanceName] ,[Client] ,[PublicKey] ,[SymmetricKey] FROM [dbo].[Keys]
Pay attention to the following:
- That you are in the right database ( use [database] )
- TY ( in our case)
- Especially important in scale out deployment
What happens when we delete keys
On the database side, it invokes [dbo].[DeleteKey].
And, here is the SQL.
ALTER PROCEDURE [dbo].[DeleteKey] @InstallationID uniqueidentifier AS if (@InstallationID = '00000000-0000-0000-0000-000000000000') RAISERROR('Cannot delete reserved key', 16, 1) -- Remove the encryption keys delete from keys where InstallationID = @InstallationID and Client = 1
- If you check your database table and do not see entries matching your MachineName and InstanceName, then you likely not having problems with existing Database keys
- Keep in the mind that the record for the null installationID ( 00000000-0000-0000-0000-000000000000 ) remains
Another avenue to try is to start with a fresh database
Database Setup – Database Connection
On the “Database Setup” \ “Database Connection” page, click the “New…” button
SQL Server Connection Dialog
Enter parameters for Server name, new database name, etc….
Retry accessing the web site, and if problems remain, then you likely do not have encryption key problems after all
Key not valid for use in specified state
What is the Reporting Services LogOn/Service Account?
In our case, it is a local account called ASPNetServiceAccount.
Find the Key
Based on the service’s account name find the crypto key…
View Key Contents
- Microsoft SQL Server Reporting Services Key Container
- It is indeed Reporting Services Key
Restart related services
Please restart related services, such as
- Reporting Services
- World Wide Web Publishing Service
Crediting MSFT’s Jin Chen
Elevation Worship – Here As In Heaven (Acoustic)
- Key not valid for use in specified state with an exception