[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

How do I properly configure Kerberos to work with Sharepoint and Project Server 2010?

Posted on 2011-02-22
1
Medium Priority
?
1,334 Views
Last Modified: 2012-05-11
Hello,

I am trying to build out a new SharePoint 2010 Farm for the purpose of Project Server 2010.  I have two Web Front End server, an Application Server, and 2 SQL Servers.  When I installed SharePoint I told the installer to use Kerberos for authentication.  

I have attempted to setup SPNs per the guide Microsoft made availiable here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1a794fb5-77d0-475c-8738-ea04d3de1147&displaylang=en

When I attempt to log into Central Admin fron a remote machine, it will not accept my credentials...I can only access Central Admin from the local machine on which it is installed.  I am unable to provision the PWA databases as well and have a feeling it is due to a Kerberos issue.

The error I am able to view in the event log is as follows:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server svrfa. The target name used was HTTP/<server FQDN>. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (<DOMAIN>) is different from the client domain (<DOMAIN>), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

In researching this error I came across the following site:
http://www.windowsecurity.com/articles/Troubleshooting-Kerberos-SharePoint-environment-Part1.html

At the bottom it explains what I am experiancing stating
"When the web front-end tries to decrypt the service ticket, the key is incorrect because this was encrypted using the SPN accounts key (domain\spcontentpoolacct) and decrypted with application pool accounts private key (domain\spwrongacct). The error KRB_AP_ERR_MODIFIED will be sent to the client and appear in the Windows System event log."

My question is how to I correctly identify which account is being used to decrypt the key, vs the correct account that should be decrypting the key, and do I just need to remove the SPN for the incorrect account and add one for the correct one?

Any help in troubleshooting this matter would be appreciated!
0
Comment
Question by:ADX39655
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 14

Accepted Solution

by:
KoenVosters earned 2000 total points
ID: 34953507
You should have the SPN HTTP/.... with ADSIEDIT linked to the identity of the application pool of the web application.
That SPN can only exist once.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What we learned in Webroot's webinar on multi-vector protection.
What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question