web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics GP (Archived) / Blocked by Management ...
Microsoft Dynamics GP (Archived)

Blocked by Management Reporter Security

(0) ShareShare
ReportReport
Posted on by Richard Wheeler 75,850 Moderator

After a total server crash I was given a backup copy of client's Management Reporter database. I need to get this online to extract the building blocks. If I attempt to restore the database and then install MR server I am greeted with the message "You must be a Management Reporter administrator to use the Configuration Console". How do I get beyond this? Are there either security tables I can update or which tables contain the report definitions so I can import this information so I can export the building blocks.

*This post is locked for comments

I have the same question (0)
  • Suggested answer
    MG-16101311-0 Profile Picture
    MG-16101311-0 26,225 on at

    After you restore the database, you will need to redeploy the MR encryption keys:

    --////////////////////////////////////////////////////////////////
-- 
-- Script Instructions:
-- 
-- 1. Update the line in the following code, starting with 'CREATE MASTER KEY ENCRYPTION BY PASSWORD', to contain the 
-- Master key you wish to use. The master key must meet the Windows password policy 
-- requirements of the computer that is running the instance of SQL Server.
--
-- 2. Run this script against the Management Reporter 2012 database. This script
-- will output a message if it does not detect the Management Reporter 2012 database.
--
--////////////////////////////////////////////////////////////////

IF EXISTS (SELECT Name FROM sys.tables WHERE Name = 'ControlReportSchedule')
     BEGIN
           IF EXISTS (SELECT TOP(1) name FROM sys.symmetric_keys WHERE name = 'GeneralUserSymmetricKey')
                   DROP SYMMETRIC KEY GeneralUserSymmetricKey

          IF EXISTS (SELECT TOP(1) name FROM sys.certificates WHERE name = 'GeneralUserCertificate')
                   DROP CERTIFICATE GeneralUserCertificate

           IF EXISTS (SELECT TOP(1) name FROM sys.symmetric_keys WHERE name = 'ConnectorServiceSymmetricKey')
                   DROP SYMMETRIC KEY ConnectorServiceSymmetricKey

           IF EXISTS (SELECT TOP(1) name FROM sys.certificates WHERE name = 'ConnectorServiceCertificate')     
                   DROP CERTIFICATE ConnectorServiceCertificate

           IF EXISTS (SELECT TOP(1) name FROM sys.symmetric_keys WHERE name = '##MS_DatabaseMasterKey##')
                   DROP MASTER KEY

           CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Access!23'
           -- NOTE Where Access!23 is your actual password

           CREATE CERTIFICATE [ConnectorServiceCertificate]
                 AUTHORIZATION [dbo]
                 WITH SUBJECT = N'Certificate for symmetric key encryption - for use by the connector service.'

           CREATE CERTIFICATE [GeneralUserCertificate]
                 AUTHORIZATION [dbo]
                 WITH SUBJECT = N'Certificate for access symmetric keys - for use by users assigned to the GeneralUser Role.'

           CREATE SYMMETRIC KEY [ConnectorServiceSymmetricKey]
                 AUTHORIZATION [dbo]
                 WITH ALGORITHM = AES_256
                 ENCRYPTION BY CERTIFICATE [ConnectorServiceCertificate]

           CREATE SYMMETRIC KEY [GeneralUserSymmetricKey]
                 AUTHORIZATION [dbo]
                 WITH ALGORITHM = AES_256
                 ENCRYPTION BY CERTIFICATE [GeneralUserCertificate]

           IF NOT EXISTS (SELECT TOP(1) name FROM sys.database_principals WHERE name='GeneralUser') 
                   BEGIN 
                       CREATE ROLE [GeneralUser]
                       AUTHORIZATION [dbo]
                   END 

           GRANT CONTROL ON CERTIFICATE::[GeneralUserCertificate] TO [GeneralUser]
           GRANT VIEW DEFINITION on SYMMETRIC KEY::[GeneralUserSymmetricKey] TO [GeneralUser]
           GRANT CONTROL ON CERTIFICATE::[ConnectorServiceCertificate] TO [GeneralUser]
           GRANT VIEW DEFINITION on SYMMETRIC KEY::[ConnectorServiceSymmetricKey] TO [GeneralUser] 
           UPDATE Connector.Adapter
           SET Settings.modify('declare namespace x="www.microsoft.com/.../Integration";
                                 replace value of 
                                 (/SettingsCollection/x:ArrayOfSettingsValue/x:SettingsValue[x:Attributes="Password"]/x:Value/text())[1] 
                                 with ""')
           UPDATE Connector.MapCategoryAdapterSettings
           SET Settings.modify('declare namespace x="www.microsoft.com/.../Integration";
                                 replace value of                               
(/SettingsCollection/x:ArrayOfSettingsValue/x:SettingsValue[x:Attributes="Password"]/x:Value/text())[1] 
                                 with ""')
     END
ELSE
     BEGIN
           PRINT 'WARNING: Incorrect database selected.'
           Print 'Execute script against the Management Reporter 2012 database.'
           PRINT 'This can be found in the Management Reporter 2012 Configuration Console.'
     END


    Once you've ran the above script, you can continue with your MR installation by launching the configuration console and what's not. Also, and just in case the URL in the script get messed up, here it is - www.microsoft.com/.../Integration

  • Richard Wheeler Profile Picture
    Richard Wheeler 75,850 Moderator on at

    This got me a little closer. At the very end of the configure routine this message popped up.

    Msg 233, Level 20, State 0, Line 0

    A transport-level error has occurred when sending the request to the server. (provider: Shared Memory Provider, error: 0 - No process is on the other end of the pipe.)

    I get the same message when I try to run your script in SSMS.

    Now, should I do a complete MR installation and then when done do a forced restore of the MR database and then run your script?

  • MG-16101311-0 Profile Picture
    MG-16101311-0 26,225 on at

    Yikes! Keep that backup handy, but the news is not good. It seems your MR database has some bad extents. You can try the following, but I highly recommend you check to make sure there's no data loss, after you exec the steps below:

    1. Restore your MR database backup once more.

    2. Run the following against it

    sp_resetstatus ManagementReporter;
alter database ManagementReporter set emergency;
alter database ManagementReporter set single_user;
dbcc checkdb (ManagementReporter, repair_allow_data_loss);

    3. Bring the database back from emergency mode

    alter database ManagementReporter set multi_user;

    4. Run the script I provided you above

  • MG-16101311-0 Profile Picture
    MG-16101311-0 26,225 on at

    Thought of something else...

    Can you make sure that your server is allowing remote connections? You can do this by going to SQL Server Configuration Manager and make sure TCP/IP is enabled.

  • Richard Wheeler Profile Picture
    Richard Wheeler 75,850 Moderator on at

    No worries here. All this fun is happening in our data center miles away from production.  I get a little closer each time. Now when I launch MR Configuration Console I get the message telling me I must be an MR admin to run the Configuration Console. When I installed MR I used the domain admin account and 'sa' .  The services are running but the service logs are full of access denied messages.

  • MG-16101311-0 Profile Picture
    MG-16101311-0 26,225 on at

    This means that you are currently logged in with an account that is not an MR admin on the server where the console is running -- stating the obvious. What happens if you reset the password for the MR admin account in Active Directory Users and Computers then try to log on as that account instead? You can also try right-click on Configuration Console and do a Run As and select the account you installed Configuration Console with.

  • Richard Wheeler Profile Picture
    Richard Wheeler 75,850 Moderator on at

    What I have is a mirror copy of the client's server. There are only two accounts. One being the domain admin and the other an account I use to run all services. When I installed MR I used the domain admin account. I named my domain the same as theirs so I do not know why I am being denied access. Is there a way to find out what users are in MR? I could match whatever users I find in there?

  • MG-16101311-0 Profile Picture
    MG-16101311-0 26,225 on at

    "Mirrored" is a misnomer here, you can have the same domain name, machine name, and domain accounts "mirrored" elsewhere, but the security principal IDs are different. That's what MR is looking for: the same matching SID. IF you can match the SIDs then you are good. Users are stored in [SecurityUser] and [SecurityPrincipal] tables.

  • Richard Wheeler Profile Picture
    Richard Wheeler 75,850 Moderator on at

    Yes, I agree "mirror" is misnomer here but it is late and I am getting no where. What happened here after the crash was that someone changed the account running the MR services from NT Authority to a domain user account. Ever since that time MR has been non-functional. Even if I change it back MR still does not function due to all the permission denied messages. So I wanted to try to bring the MR database to another server to see if I could bring it online so I could extract the building blocks. All my attempts have failed. Is there any way to get to those building blocks? Can I do a fresh install of MR and then import the tables with the report layouts? I can see all the data it is simply I cannot access them through MR.

  • Richard Wheeler Profile Picture
    Richard Wheeler 75,850 Moderator on at

    I now have this back to the point that when I launch MR Configure I get the message you must be a Management Reporter administrator to use the Configuration Console. I am logged in as a user in the SecurityUser table whose role type is 5. This domain user runs the MR services and is an admin on this server. How else do I tell MR that this user is an MR admin?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics GP (Archived)

#1
mtabor Profile Picture

mtabor 1

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans