I am working on a simple server farm which has one front end and one back end. Both servers are using Kerberos authentication and it works fine.
So, when I tried to have another srver to join this server farm as Index server. What I did include:
1. Create a SPN using -A HTTP/indexserver.FQDN (fully qualified domain name).
2. On the index server, change the accounts used by the following services to use the same domain user accounts used by the central admin hosting server:
Office SharePoint Server Search
Windows SharePoint Services Search
Windows SharePoint Service Timer
3. All three services mentioned above were changed to start either manually or automatically.
When I opened Centeral Administration site and chosse the index server to start the Office SharePoint Server Search, I received this error message:
An unhandled exception occurred in the user interface.Exception Information: The request failed with HTTP status 401: Unauthorized.
On the front end which is hosting CA and content web application, in the event viewer, unde Application category there is an exception like this:
EventType ulsexception12, P1 w3wp.exe, P2 6.0.3790.1830, P3 ........
Under System category, there is an Kerberos errors, the Event ID is 4 and following is the error message:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/indexserver.domianname.com. The target name used was HTTP/indexserver.DOMAINNAME.COM. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAINNAME.COM), and the client realm. Please contact your system administrator.
We checked the AD and pretty sure there was no duplicated names registered with the same server name under HTTP. One of the difference is:
In the host/indexserver..... , everything showed in lower case.
In HTTP/indexserver ....., the domain name showed in upper case.
Although Windows system does not care about cases, I did find a blog said he registered with different case and it worked.
My question is: other than change the case, anything else I missed could cause this problem?
Thank you very much.