Link to home
Start Free TrialLog in
Avatar of ADX39655
ADX39655

asked on

How do I properly configure Kerberos to work with Sharepoint and Project Server 2010?

Hello,

I am trying to build out a new SharePoint 2010 Farm for the purpose of Project Server 2010.  I have two Web Front End server, an Application Server, and 2 SQL Servers.  When I installed SharePoint I told the installer to use Kerberos for authentication.  

I have attempted to setup SPNs per the guide Microsoft made availiable here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1a794fb5-77d0-475c-8738-ea04d3de1147&displaylang=en

When I attempt to log into Central Admin fron a remote machine, it will not accept my credentials...I can only access Central Admin from the local machine on which it is installed.  I am unable to provision the PWA databases as well and have a feeling it is due to a Kerberos issue.

The error I am able to view in the event log is as follows:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server svrfa. The target name used was HTTP/<server FQDN>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (<DOMAIN>) is different from the client domain (<DOMAIN>), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

In researching this error I came across the following site:
http://www.windowsecurity.com/articles/Troubleshooting-Kerberos-SharePoint-environment-Part1.html

At the bottom it explains what I am experiancing stating
"When the web front-end tries to decrypt the service ticket, the key is incorrect because this was encrypted using the SPN accounts key (domain\spcontentpoolacct) and decrypted with application pool accounts private key (domain\spwrongacct). The error KRB_AP_ERR_MODIFIED will be sent to the client and appear in the Windows System event log."

My question is how to I correctly identify which account is being used to decrypt the key, vs the correct account that should be decrypting the key, and do I just need to remove the SPN for the incorrect account and add one for the correct one?

Any help in troubleshooting this matter would be appreciated!
ASKER CERTIFIED SOLUTION
Avatar of KoenVosters
KoenVosters
Flag of Belgium image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial