Kerberos; SetSPN; Issues with Reporting Services on SQL2005

Hot Topic

Error rsFailedToDecryptConfigInformation
Security consideration for Pull Subscription
Do Inserts into Temptable enforce order of select?
Will a SQL Server embedded be developed?
When Install SQL 2005 Get "Detecting Installed IIS" message and stuck
Full RecordSet not Received from SQL Server ??
Doing a data import using DTS Wizard in SQL Server 2005 - being efficient with 5 flat files
explain classes involved in SSIS programming
Mirroring - totally stumped, need some help.
how to convert ms access queries into sql server procedure

SQL Server

Download Microsoft OLE DB Provider for DB2
Error in paramterized query - Execute SQL Task
Need help with a simple query
Advanced Select based on multiple field combinations
Storing Null values
Derived Shape - Replacing a column with itself.
Beginning SSIS - Sharepoint and Excel
Linked Server connection issue
Explanation of Security Groups for 2005
Parent Child Dimension Attribute Hierarchy

Kerberos; SetSPN; Issues with Reporting Services on SQL2005

We created an HTTP endpoint on our SQL2005 system.

(So we can send WebService responses from our client apps, directly to the database)

Following the BOL, "Configuring the HTTP Kernel-Mode Driver (http.sys)"

We setup the accounts using the described SetSPN.exe method

setspn -a http/server domain\serviceaccount

setspn -a http/server.domain.company.com domain\serviceaccount

Endpoints work fine.

But now... We have an issue connecting to the Reporting Services

If we connect via: http://servername/Reports$Instance

We get prompted for Security information, and ultimately page not authorized.

If we connect via http://ipaddress/Reports$instance

We get prompted for Security information, but do get to the Reports Home page

If we undo the SetSPN (via -D); Reporting Services work with no security prompting, and both via server name and IP. BUT, endpoints stop working.

When we have the SPNs enabled, we get an error in the error long on the client side:

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server.domain.company.com. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (domain.company.com), and the client realm. Please contact your system administrator

I have tried removing the system from the domain, deleting the account, and readding it. No fix. I have tried a few others (based on searches), nothing has changed.

It has something to do with the SPNs , but I just can't figure out what the right combination of settings would be to allow endpoints and reporting services on the same system.

Answer this question

Kerberos; SetSPN; Issues with Reporting Services on SQL2005

  • KenHolt

    Thank you tudor.

    You description and link, helped me figure out what was going on.

    It was an "account" issue, on the installation of the Report Services.

    The "service" installed as the correct domain\serviceaccount

    The Application Pool, installed though ast the "generic" Network Account

    So I adjusted the Application Pool to use the Services account, and then in turn configured Reporting Service to use that account as well.

    Now everything lives happy together......

    Thanks for the "redirection" it helped me piece all of this together.

    Earl

  • Scott McLean

    It's possible the SetSPN command below can overwrite the existing settings in IIS Is there anything registered prior to the SQL SPN See also this article:

    http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/df979570-81f6-4586-83c6-676bb005b13e.mspx mfr=true

    Thanks

    Tudor



  • Kerberos; SetSPN; Issues with Reporting Services on SQL2005
Answer this question