If you work with SCCM (System Center Configuration Manager) and SQL Server Reporting Services (SSRS), you may run into a frustrating issue where reports fail with the error:
“The DefaultValue expression for the report parameter 'UserTokenSIDs' contains an error: A specified logon session does not exist. It may already have been terminated. (rsRuntimeErrorInExpression)”
This error was highlighted in a Windows-Noob forum discussion and has since been encountered by many SCCM administrators. In this blogpost, we’ll break down the root cause, the logs to check, and the best ways to fix the problem.
Understanding the SSRS SCCM Reporting Log Error
When this error appears, it’s usually tied to Role-Based Access Control (RBAC) in SCCM. Looking into the sccmreporting.log on your SQL/SSRS server often reveals entries like:
EnableRbacReporting key exists. Value = 1
A specified logon session does not exist. It may already have been terminated.
This confirms that RBAC enforcement is blocking report execution.
Common Setup Scenario
In the reported case, the server setup looked like this:
- SSRS and SQL Server running under a non-admin domain account
- Service account in the Windows Authorization Access Group with AD read rights
- Windows Negotiate authentication configured in SSRS
- Proper SPNs and Kerberos AES encryption enabled
- Account trusted for delegation
- Reports (custom and default) using the same shared data source
On the surface, everything appeared correctly configured—yet the error persisted.
Quick Workaround: Disable RBAC Reporting
One confirmed workaround is to disable RBAC enforcement for SSRS:
- Open the registry on the SSRS server.
- Locate the
EnableRbacReportingkey. - Change its value from
1to0.
After restarting SSRS, the reports worked again.
⚠️ Note: This should be treated as a temporary fix only. Disabling RBAC removes SCCM’s built-in security model, which could expose sensitive reporting data.
Long-Term Fixes to Keep RBAC Enabled
To properly resolve the issue without disabling RBAC, consider these steps:
1. Verify Permissions and Delegation
Ensure the SSRS service account has the right RBAC roles, and that delegation and SPNs are configured correctly in Active Directory.
2. Enable Detailed Logging
Use SSRS trace logs and SCCM site logs to pinpoint authentication failures. Microsoft provides detailed guidance on SSRS log files.
3. Confirm Reporting Services Point Setup
Check that the SCCM Reporting Services Point is installed correctly, the SSRS service is running, and no firewall/port issues are blocking access.
4. Test With a Simpler Setup
Run a test using a minimal service account or test environment to isolate whether the failure is RBAC-related or a deeper SSRS/SQL configuration issue.
Conclusion
The SSRS SCCM Reporting Log error related to 'UserTokenSIDs' is almost always tied to RBAC enforcement. While disabling RBAC can get reports working quickly, the recommended long-term approach is to validate authentication, delegation, and service account permissions.
