SQL Reporting Integration Kerberos Difficulties

First, let me recommend the best document I found for configuring MOSS and SQL Reporting integration:
http://www.officesharepointpro.com/content/1879/Information-Integration--SSRS-and-MOSS-2007--.aspx

I set up a MOSS implementation with a separate SQL server, a MOSS server hosting the front end and the shared services, and a separate SQL Reporting server with the MOSS front-end installed as discussed in the documentation above.

I ran into an issue between the SQL Reporting server and the MOSS server. The Windows Integrated Authentication worked on the SQL Reporting server when accessing the ReportServer site via the browser. It didn't work on the MOSS server. In testing the authentication worked to another site with static content. In the application event log, a Kerberos error was listed:
Event Type: ErrorEvent Source: KerberosEvent Category: NoneEvent ID: 4
Description:The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/or-bcxensqlrep.teamfusion.local. The target name used was HTTP/or-bcxensqlrep.teamfusion.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (TEAMFUSION.LOCAL), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Since I was the system administrator, I gave myself a call and complained bitterly about the crappy performance the SQL Reporting Service was doing and I should do something fast about it. With my ears burning at that vociferous call, I started troubleshooting...and probing... and scratching my head. Eventually, through eventid.net, I found the IIS 6.0 Resource Kit Chapter 5
Managing a Secure IIS 6.0 Solution.

This discusses "Kerberos Authentication Requires SPNs for Multiple Worker Processes" which occurs with domain accounts used as service accounts for worker processes. The setspn utility can be used to register the domain account with the hostname of the server in AD.
setspn.exe -A HOST\servername.FQDN domain\useraccount

It worked like a charm.

Comments

Post a Comment

Popular posts from this blog

Robocopy Error 31 A device attached to the system is not functioning

I was migrating Windows file shares to NetApp CIFS shares using Robocopy. I was unable to copy owner information or NTFS Security (/COPY:DATSOU) without getting this Error: ERROR 31 (0x0000001F) Copying NTFS Security to Destination Directory F:\PATH A device attached to the system is not functioning. I thought it may be the zone information on may of these files. I used the Sysintenals Streams utility to remove that information. It did not help. In the end, I was forced to copy without NTFS information (/COPY:DATU) When I viewed the properties of any share, folder, or file, the length of time to enumerate and display the permissions was exceedingly slow. I tried disabling anti-virus, etc. In the end, I had to manually re-create the permissions after the initial data copy. File ownership information was lost. UPDATE: I ran a CHKDSK /F and following a reboot this robocopy functioned fine.
Read more

"The following factors also affect the level of access for" user with excess permissions

Image
I have a user that had access to site settings, all content, etc. I double checked her access and it was read only but the permissions check tool showed a panel beneath the site permissions that showed Allow for many categories. She had full control. "The following factors also affect the level of access for" She was added as a Site Collection Administrator. I don't know who would have added her there, but someone had. If you find this type of issue, that should be the first thing you check. You can also check the Web Application User Policy in Central Admin. That's the other area I find people or groups with elevated permissions.
Read more

Unknown server tag 'AdminControls:MigrationToolPromotionTip'. in Central Admin after installing SharePoint 2013 security update KB4482464

I installed KB4482464 on my sandbox server without issue so I moved to my development farm. Following the patch, Central Admin (CA) had an error: Unknown server tag 'AdminControls:MigrationToolPromotionTip'. I noticed that the sandbox environment CA had this banner: You can now use the SharePoint Migration Tool to migrate to OneDrive and SharePoint Online. It looks like that failed in the Dev farm. The Configuration Wizard GUI failed to successfully run. Solution: I ran PSCONFIG with these options on my primary APP server: psconfig.exe -cmd helpcollections -installall -cmd secureresources -cmd services -install -cmd installfeatures -cmd applicationcontent -install -cmd upgrade -inplace b2b -force -wait I ran PSCONFIG with these options on my remaining app, search and WFE servers: psconfig.exe -cmd upgrade -inplace b2b -wait -force I will exclude this update from my deployment on SCCM and run it manually.
Read more