Solved

How do I properly configure Kerberos to work with Sharepoint and Project Server 2010?

Posted on 2011-02-22
1
1,261 Views
Last Modified: 2012-05-11
Hello,

I am trying to build out a new SharePoint 2010 Farm for the purpose of Project Server 2010.  I have two Web Front End server, an Application Server, and 2 SQL Servers.  When I installed SharePoint I told the installer to use Kerberos for authentication.  

I have attempted to setup SPNs per the guide Microsoft made availiable here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1a794fb5-77d0-475c-8738-ea04d3de1147&displaylang=en

When I attempt to log into Central Admin fron a remote machine, it will not accept my credentials...I can only access Central Admin from the local machine on which it is installed.  I am unable to provision the PWA databases as well and have a feeling it is due to a Kerberos issue.

The error I am able to view in the event log is as follows:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server svrfa. The target name used was HTTP/<server FQDN>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (<DOMAIN>) is different from the client domain (<DOMAIN>), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

In researching this error I came across the following site:
http://www.windowsecurity.com/articles/Troubleshooting-Kerberos-SharePoint-environment-Part1.html

At the bottom it explains what I am experiancing stating
"When the web front-end tries to decrypt the service ticket, the key is incorrect because this was encrypted using the SPN accounts key (domain\spcontentpoolacct) and decrypted with application pool accounts private key (domain\spwrongacct). The error KRB_AP_ERR_MODIFIED will be sent to the client and appear in the Windows System event log."

My question is how to I correctly identify which account is being used to decrypt the key, vs the correct account that should be decrypting the key, and do I just need to remove the SPN for the incorrect account and add one for the correct one?

Any help in troubleshooting this matter would be appreciated!
0
Comment
Question by:ADX39655
1 Comment
 
LVL 14

Accepted Solution

by:
KoenVosters earned 500 total points
Comment Utility
You should have the SPN HTTP/.... with ADSIEDIT linked to the identity of the application pool of the web application.
That SPN can only exist once.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now