Join Index Server and Kerberos Error

I am working on a simple server farm which has one front end and one back end. Both servers are using Kerberos authentication and it  works fine.

So, when I tried to have another srver to join this server farm as Index server. What I did include:

1. Create a SPN using -A HTTP/indexserver.FQDN (fully qualified domain name).
2. On the index server, change the accounts used by the following services to use the same domain user accounts used by the central admin hosting server:
   Office SharePoint Server Search
   Windows SharePoint Services Search
   Windows SharePoint Service Timer
3. All three services mentioned above were changed to start either manually or automatically.

When I opened Centeral Administration site and chosse the index server to start the Office SharePoint Server Search, I received this error message:

An unhandled exception occurred in the user interface.Exception Information: The request failed with HTTP status 401: Unauthorized.

On the front end which is hosting CA and content web application, in the event viewer, unde Application category there is an exception like this:

EventType ulsexception12, P1 w3wp.exe, P2 6.0.3790.1830, P3 ........

Under System category, there is an Kerberos errors, the Event ID is 4 and following is the error message:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/indexserver.domianname.com.  The target name used was HTTP/indexserver.DOMAINNAME.COM. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named  machine accounts in the target realm (DOMAINNAME.COM), and the client realm.   Please contact your system administrator.

We checked the AD and pretty sure there was no duplicated names registered with the same server name under HTTP. One of the difference is:
In the host/indexserver..... , everything showed in lower case.
In HTTP/indexserver ....., the domain name showed in upper case.

Although Windows system does not care about cases, I did find a blog said he registered with different case and it worked.

My question is: other than change the case, anything else I missed could cause this problem?

Thank you very much.


LVL 16
cobrachenAsked:
Who is Participating?
 
ChiefITCommented:
There is a big difference when trying to authenticate using kerberos and NTLM. 2003 server defaults to kerberos. Older machines, (NT4, Windows ME, 98) use NTLM. 2003 server has been backwards compatible to kerberos, but sometimes in a native mode you might see problems authenticating.

An explanation of some problems you may see is explained in this article. Using this article you can define your cluster to use kerberos and not use NTLM. If the incompatibility is your error, you should be able to determine if it is your problem when looking at this article.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html

I hope this helps.
0
 
ChiefITCommented:
Are you using a cloned machine? You might have to get a new SID.

If not have you reset the computer password?
http://support.microsoft.com/kb/325850

Then again you might have something wrong with the CA records. Use the PKI enterprise tool to look at those records for errors.
http://technet2.microsoft.com/windowsserver2008/en/library/bf9c7dca-26d7-4de5-890d-47e30308690e1033.mspx?mfr=true

I hope this helps.
0
 
cobrachenAuthor Commented:
When you mentioned a clone machine, you mean the image of the OS came from another machine or the entire server is cloned from another one?

Thanks.
0
 
ChiefITCommented:
Full blown machine

An imaged machine might have this problem as well. I am thinking the SID might be the same as another computer.
0
 
cobrachenAuthor Commented:
OK, let me back off a little bit.

Do I need or have to use Kerberos in order to expand a MOSS server farm? Recently I was told NTLM is able to handle and I am puzzled.

Thanks.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.