SQL Reporting Integration Kerberos Difficulties

First, let me recommend the best document I found for configuring MOSS and SQL Reporting integration:
http://www.officesharepointpro.com/content/1879/Information-Integration--SSRS-and-MOSS-2007--.aspx

I set up a MOSS implementation with a separate SQL server, a MOSS server hosting the front end and the shared services, and a separate SQL Reporting server with the MOSS front-end installed as discussed in the documentation above.

I ran into an issue between the SQL Reporting server and the MOSS server. The Windows Integrated Authentication worked on the SQL Reporting server when accessing the ReportServer site via the browser. It didn't work on the MOSS server. In testing the authentication worked to another site with static content. In the application event log, a Kerberos error was listed:
Event Type: ErrorEvent Source: KerberosEvent Category: NoneEvent ID: 4
Description:The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/or-bcxensqlrep.teamfusion.local. The target name used was HTTP/or-bcxensqlrep.teamfusion.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (TEAMFUSION.LOCAL), and the client realm. Please contact your system administrator.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Since I was the system administrator, I gave myself a call and complained bitterly about the crappy performance the SQL Reporting Service was doing and I should do something fast about it. With my ears burning at that vociferous call, I started troubleshooting...and probing... and scratching my head. Eventually, through eventid.net, I found the IIS 6.0 Resource Kit Chapter 5
Managing a Secure IIS 6.0 Solution.


This discusses "Kerberos Authentication Requires SPNs for Multiple Worker Processes" which occurs with domain accounts used as service accounts for worker processes. The setspn utility can be used to register the domain account with the hostname of the server in AD.
setspn.exe -A HOST\servername.FQDN domain\useraccount

It worked like a charm.

Comments

Popular posts from this blog

ADMT fails to migrate SID History

Exchange 2010 event errors 2601, 2604, 2501

Robocopy Error 31 A device attached to the system is not functioning