Left with 0 client certificates to choose from when accessing SSRS management.

Environment:

Reporting Services running on a SQL Server 2008 R2 SP3 installation on a Windows 2008 server with .Net 4.6.1 installed and .Net 3.5 enabled as feature. IIS, database and reporting service all in the local machine (custom login URL in a different machine but seems that this is unrelated).

Changes done:

Due to security reasons we are force to move to TLS 1.2 so we did with IISCrypto enabling just TLS 1.2

Outcome:

From this moment we get an error only when trying to access the Report Management site. On the browser we get an error 500 saying:

The underlying connection was closed: An unexpected error occurred on a receive

On the SSRS logs we can see the following exception:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm

The callstack starts on the ReportServer OnInit() so it is failing right starting away and the error happens on the Reporting Services initialization.

Enabling traces on the .Net Framework I found the following messages where it is shown that the fail happens when SSRS calls its own web services:

System.Net Information: 0 : [5076] HttpWebRequest#38854310 - Request: POST /ReportServer/ReportService2010.asmx HTTP/1.1

System.Net Information: 0 : [4124]

SecureChannel#52830003::.ctor(hostname=themachineshostname, #clientCertificates=0)

System.Net Information: 0 : [4124] Enumerating security packages:

System.Net Information: 0 : [4124]     Negotiate

System.Net Information: 0 : [4124]     NegoExtender

System.Net Information: 0 : [4124]     Kerberos

System.Net Information: 0 : [4124]     NTLM

System.Net Information: 0 : [4124]     Schannel

System.Net Information: 0 : [4124]     Microsoft Unified Security Protocol Provider

System.Net Information: 0 : [4124]     WDigest

System.Net Information: 0 : [4124]     TSSSP

System.Net Information: 0 : [4124]     pku2u

System.Net Information: 0 : [4124]     CREDSSP

System.Net Information: 0 : [4124] SecureChannel#52830003 - Left with 0 client certificates to choose from.

System.Net Information: 0 : [4124] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc = System.Net.SecureCredential)

System.Net Error: 0 : [4124] AcquireCredentialsHandle() failed with error 0X80090331.

Things already checked:

The certificate in use is still valid and it's signature chain is placed in the proper "Intermediate" and "Root" stores.

Running the Application Pool as an administrator does not help.

Using a custom signed certificate generated from IIS does not help.

Important: The issue only happens on the Reporting Services Management site, the reports work fine

Next Steps

Any ideas on what else to try? Is there a way to know why the security packages where not selected?

Update

The issue is not related to TLS1.2 as enabling TLS 1 again I get the same error. I'm guessing that the login URL is somehow involved.

Let’s ensure 2 things are set properly in the registry (on both your Report Server and IIS custom login server). Reboot is required after reach setting change (do one at a time to see what works).

TLS 1.2 Client/Server Enablement in Registry

Go to HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL and ensure TLS 1.2 is enabled and the other providers are disabled. If TLS 1.2 is not present create it. Details here

Ensure UseStrongCrypto is Enabled for .NET

Go to here and ensure strong crypto is enabled.

Note: I am on mobile device so hard to type an in depth answer. If these things work for you I can add more detail into the answer later.