?
Solved

How do I properly configure Kerberos to work with Sharepoint and Project Server 2010?

Posted on 2011-02-22
1
Medium Priority
?
1,321 Views
Last Modified: 2012-05-11
Hello,

I am trying to build out a new SharePoint 2010 Farm for the purpose of Project Server 2010.  I have two Web Front End server, an Application Server, and 2 SQL Servers.  When I installed SharePoint I told the installer to use Kerberos for authentication.  

I have attempted to setup SPNs per the guide Microsoft made availiable here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1a794fb5-77d0-475c-8738-ea04d3de1147&displaylang=en

When I attempt to log into Central Admin fron a remote machine, it will not accept my credentials...I can only access Central Admin from the local machine on which it is installed.  I am unable to provision the PWA databases as well and have a feeling it is due to a Kerberos issue.

The error I am able to view in the event log is as follows:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server svrfa. The target name used was HTTP/<server FQDN>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (<DOMAIN>) is different from the client domain (<DOMAIN>), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

In researching this error I came across the following site:
http://www.windowsecurity.com/articles/Troubleshooting-Kerberos-SharePoint-environment-Part1.html

At the bottom it explains what I am experiancing stating
"When the web front-end tries to decrypt the service ticket, the key is incorrect because this was encrypted using the SPN accounts key (domain\spcontentpoolacct) and decrypted with application pool accounts private key (domain\spwrongacct). The error KRB_AP_ERR_MODIFIED will be sent to the client and appear in the Windows System event log."

My question is how to I correctly identify which account is being used to decrypt the key, vs the correct account that should be decrypting the key, and do I just need to remove the SPN for the incorrect account and add one for the correct one?

Any help in troubleshooting this matter would be appreciated!
0
Comment
Question by:ADX39655
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 14

Accepted Solution

by:
KoenVosters earned 2000 total points
ID: 34953507
You should have the SPN HTTP/.... with ADSIEDIT linked to the identity of the application pool of the web application.
That SPN can only exist once.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Hey fellow admins! This time, I have a little fairy tale for you. As many tales do, it starts boring and then gets pretty gory. I hope you like it. TL;DR: It is about an important security matter, you should read it if you run or administer Windows …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question