Fix SCCM Upgrade Breaks SSRS with UserTokenSIDs contains an error ConfigMgr

Fix SCCM Upgrade Breaks SSRS with UserTokenSIDs contains an error ConfigMgr. Recently, We had a discussion in the Facebook Group for SCCM ConfigMgr Professionals about the SSRS reporting issue after upgrading from SCCM.

Some of the group members are reported the following issue/error. However, I didn’t find this issue in any of my environments (I’ve 3 different environments), and the SSRS reports are working fine after ConfigMgr 2012 R2 upgrades. So I don’t know the exact reason for the following error in some environments.

System.Web.Services.Protocols.SoapException: The DefaultValue expression for the report parameter ‘UserTokenSIDs’ contains an error: Logon failure: unknown user name or bad password. 

Fix SCCM Upgrade Breaks SSRS with UserTokenSIDs contains an error

Initially, I suspected that there was something to do with  Domain functional level and forest functional level. Tested the same with different functional levels Windows Server 2008 2 and Windows Server 2003. For both functional levels, it worked fine for me. Fix SCCM Upgrade Breaks SSRS with UserTokenSIDs contains an error ConfigMgr?

After some “REsearch”, I found some interesting updates done on SCCM 2012 R2 Configuration Manager Documentation Library in November 2013. Also, the Technet page has been updated with new prerequisites for SCCM 2012 R2 SSRS report service account.

Patch My PC

The SSRS service account should be members of the Windows Authorization Access (WAA) group and Read tokenGroupsGlobalAndUniversal allow permissions. More details @ Technet page “To install the reporting services point on a site system“.

Added a note that the account that runs Reporting Services must belong to the domain local security groupWindows Authorization Access Group, and have the Read tokenGroupsGlobalAndUniversal permission set toAllow.

You should add the group mentioned above and security settings when you have an SSRS-related issue. If that is not solving the issue, you can try something mentioned in the following TechNet thread.  

Detailed discussion about SCCM 2012 R2 SSRS issue here. Fix SCCM Upgrade Breaks SSRS with UserTokenSIDs contains an error ConfigMgr.

Extract from Technet forum:- Some interesting stuff  In our environment, we run all SQL services as a separate account, say domain\CMSQLSERVICE account (so if you looked at the services, you’d see SQL Server, SQL Server Agent & SQL Server Reporting Services all running as CMSQLSERVICE).

Adaptiva

We also run reporting as another account, say domain\CMSQLREPORTING account (SCCM console, Admin, Site Config, Servers & Sites, Reporting services point).

Placing CMSQLREPORTING account into the Windows Authorization Access Group did not resolve the issue as I had thought. We then put the CMSQLSERVICE account in there & everything worked as intended. Fix SCCM Upgrade Breaks SSRS with UserTokenSIDs contains an error ConfigMgr?

You’ll easily see the errors by looking on the reporting point/server with the SQL database for C:\Users\ACCOUNTRUNNINGSQLSERVICE\AppData\Local\Temp.

Resources

SCCM Related Posts Real World Experiences Of SCCM Admins (anoopcnair.com)

Author

Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…

2 thoughts on “Fix SCCM Upgrade Breaks SSRS with UserTokenSIDs contains an error ConfigMgr”

  1. Hi Anoop,

    At this moment, we encounter the same error as you mentioned above (UserTokenSIDs). But…..only 1 user gets this error. The other 3 admins (Full administrator) can run reports without any problem.
    The SSRS service account is member of the WAA group.
    The admin account that gets the error is member of the same groups as the other 3.

    Whats changed? A couple of weeks ago the Reporting Role was moved to another server. Before that he didn’t have a problem running reports. But with this change the SSRS service account hasn’t changed.

    Hope you can point me in the right direction

    Robert

    Reply
  2. Hey Robert,

    I am having the same issue. Keep me posted if you find a solution. I’ve been digging into this for hours. If I find something, I’ll make sure to post.

    Thanks!

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.