Solved

How do I properly configure Kerberos to work with Sharepoint and Project Server 2010?

Posted on 2011-02-22
1
1,303 Views
Last Modified: 2012-05-11
Hello,

I am trying to build out a new SharePoint 2010 Farm for the purpose of Project Server 2010.  I have two Web Front End server, an Application Server, and 2 SQL Servers.  When I installed SharePoint I told the installer to use Kerberos for authentication.  

I have attempted to setup SPNs per the guide Microsoft made availiable here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1a794fb5-77d0-475c-8738-ea04d3de1147&displaylang=en

When I attempt to log into Central Admin fron a remote machine, it will not accept my credentials...I can only access Central Admin from the local machine on which it is installed.  I am unable to provision the PWA databases as well and have a feeling it is due to a Kerberos issue.

The error I am able to view in the event log is as follows:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server svrfa. The target name used was HTTP/<server FQDN>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (<DOMAIN>) is different from the client domain (<DOMAIN>), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

In researching this error I came across the following site:
http://www.windowsecurity.com/articles/Troubleshooting-Kerberos-SharePoint-environment-Part1.html

At the bottom it explains what I am experiancing stating
"When the web front-end tries to decrypt the service ticket, the key is incorrect because this was encrypted using the SPN accounts key (domain\spcontentpoolacct) and decrypted with application pool accounts private key (domain\spwrongacct). The error KRB_AP_ERR_MODIFIED will be sent to the client and appear in the Windows System event log."

My question is how to I correctly identify which account is being used to decrypt the key, vs the correct account that should be decrypting the key, and do I just need to remove the SPN for the incorrect account and add one for the correct one?

Any help in troubleshooting this matter would be appreciated!
0
Comment
Question by:ADX39655
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 14

Accepted Solution

by:
KoenVosters earned 500 total points
ID: 34953507
You should have the SPN HTTP/.... with ADSIEDIT linked to the identity of the application pool of the web application.
That SPN can only exist once.
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Bandwidth cap???? 8 61
Isolated network on ESXi 6.5 8 54
Fraud Email 11 41
CentOS 7 wireless 2 34
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question