locked
WSS 3.0 with kerberos, new AD, setspn set, but servers outside WSS server can't authenticate into site - Not Authorized. RRS feed

  • Question

  • On a fresh WSS 3.0 install.

    3 servers on a new AD.  all 2008 R2.  A WSS server (will be my only WFE), A SQL 2008 DB server and another server with nothing on it.

    I have a WSS service user which is also the farm admin and the has DBA in the Database.

    Plan is to use Kerberos - and I have another environment where everything is working great  -but having trouble on new install.

    WSS install went fine. Create a new web ap and site collection at the root root of the server.

    I've SET SPN for the WSS server (short and long names) and they look good and trusted that server for deligation and the service account for deligation.

    I;ve performed the cscript adsutil  step on the WSS server.

    My application pool for the website is the is the same service user that has trusted deligation and used in setspn.

    I have the short and long wss server names in the IIS site binds and wss alterternate mappings.

    Under IIS authentication for the site, I see windows authentication is enabled and see both providers and Enable kernel mode auth is checked.

    From IE on the WSS Server I can access the root 80 site, goes right in. Looks great

    However, From another server in the domain,  when I attemp to access the site from IE  I get prompted for security but it never lets me authenticate .  I've tried as the farm/service acces and my user in the domain that also has access and farm admin. Neither work.

    Do I need to perform setspn steps on the sql 2008 server?  I've trusted the server for deligation. - did not help.  I don't think so as I never had to do these on another install.

    What's an easy what to test if Kerberos handshake is failing? What logs and where might I see the issue? I just keeps prompting for security so it's seeing the site, and then I finally get Not Authorized HTTP 401

    I'm almost remembering another AD switch I might need to set beyond trust for deligation...

    Thanks.

     

    Friday, March 4, 2011 10:00 PM

Answers

  • Deleg config needs to be added as a virtual directory in the same web application where Kerberos is failing.

    Also, you have mentioned that you have Kernel mode authentication checked. While configuring Kerberos for 2010,itwas mentioned that Kernel mode authentication should be left unchecked for Kerberos to work. Not sure if this is specific to 2010 though.

    Also, I think you might have already looked at this article (http://support.microsoft.com/kb/832769), since you have already performed all the steps mentioned. Just check the stsadm piece of it once.

     

    • Marked as answer by Leoyi Sun Friday, March 11, 2011 8:29 AM
    Wednesday, March 9, 2011 9:23 PM

All replies

  • Have you checked your server event Logs ??

    Have a look at this article: http://blogs.msdn.com/b/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspx

     

    Based on this Article you have to setup also SPNs for SQL: http://www.windowsecurity.com/articles/Kerberos-Sharepoint-Environment.html

     

    You can also download kerbtray tool to view/reset Kerberos Tickets.


    Dimitris Porikos, MCTS
    Saturday, March 5, 2011 11:03 AM
  • This is the even error we are seeing.

    I've confirmed and our SPNs look fine - they are set for the web server and the web app pool is using that same user.  Im IIS 7.0, I see Negotiate is enabled as a provider fist (as is NTLM and Negotiate:Kerberos)  and  Kernel-mode auth is on in windows authentication  advanced settings..

    The computer name and full computer name are set to that AD account as SPNs.  Everthing looks perfect.

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          3/7/2011 4:50:04 AM
    Event ID:      4
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      ***FIMTEST01.xxxfimad.xxx.xxxxxx.xxx
    Description:
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server xxxxx. The target name used was HTTP/xxxxx.xxxx.xxxxx. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (***FIMAD.xxx.xxxxxx.xxx) is different from the client domain (***FIMAD.xxx.xxxxxx.xxx), check if there are identically na*** server accounts in these two domains, or use the fully-qualified name to identify the server.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
        <EventID Qualifiers="16384">4</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-03-07T09:50:04.000000000Z" />
        <EventRecordID>6403</EventRecordID>
        <Correlation />
        <Execution ProcessID="0" ThreadID="0" />
        <Channel>System</Channel>
        <Computer>***FIMTEST01.xxxfimad.xxx.xxxxxx.xxx</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="Server">***fimtest02$</Data>
        <Data Name="TargetRealm">***FIMAD.xxx.xxxxxx.xxx</Data>
        <Data Name="Targetname">HTTP/***fimtest02.xxxfimad.xxx.xxxxxx.xxx</Data>
        <Data Name="ClientRealm">***FIMAD.xxx.xxxxxx.xxx</Data>
        <Binary>
        </Binary>
      </EventData>
    </Event>

    Monday, March 7, 2011 4:12 PM
  • That guide was exactly what we needed. But we are having some issues with steps

    stsadm -o setsharedwebserviceauthn

    gives us:  Missing Operation name or the operation name is invalid.  this is a WSS 3.0 SP2 install -  Possibly related, but I don't s see a shared Services Provider on my farm- do I need to create one?  Any good guide for setting up SSP (Shared Service Provider) in  creating the WSS 3.0? Or that only a MOSS option?

    And in the step to change properties of IIS WAMREG Admin Service (We are runnig Windows 2008 R2), when I open up security properies none othe three options are available for change - they are all grayed out.

     

     

     

    Monday, March 7, 2011 4:46 PM
  • I might have missed something here.

    How do I create an SSP in WSS 3.0?  Can I run Kerberos on my WSS 3.0 sites?

     

    Monday, March 7, 2011 5:08 PM
  • I would recommend a tool called Deleg Config (http://blogs.iis.net/brian-murphy-booth/archive/2007/03/09/delegconfig-delegation-configuration-reporting-tool.aspx)

    This is an awesome utility to troubleshoot Kerberosdelegation issues. I have used this to fix our Kerberos configuration.

    Also, from the initial description that you have provided, can you also confirm if you have SPN's set for the WSS service accoutn for the SQL service?

    Monday, March 7, 2011 5:35 PM
  • They are set for the SQL Server but not as http, but mssql

    setspn -L xxxxad\wssservice

    Registered ServicePrincipalNames for CN=WSSService,CN=Users,DC=xxxxx,DC=xxxx,DC=xxxx,DC=xxx:


            MSSQLsvc/sql1.xxxx.xxxx.xxxix.xx:1433
            MSSQLsvc/sql1:1433
            http/wssserver.xxxxad.xxx.xx.xxx
            http/wssserver

     

    I am unable to perform this step: stsadm -o setsharedwebserviceauthn (not clear if I should do this step for WSS install)

    And even though I have domain and local admin and running regedit as administrator, I am unable to change permission on dcom iiswam, I get access denied.

    Thanks.

     

    BTW, in my production MOSS environment we do not have our DB servers udner SPN and kerberos works perfectly.

     

    Monday, March 7, 2011 5:57 PM
  • Set up the deleg config on the same web application as your WSS site. It should tell you about the duplicate SPN"s and should also give you a report if you delegation suceeds of fails.

    This would be the best way to identify if Kerberos is working.

     

    Monday, March 7, 2011 6:25 PM
  • I only have one Web Application and one Service account/farm account and it's  set for deligation. Are you talking about configuration of the product you suggested? If not, where?
    Monday, March 7, 2011 6:44 PM
  • I'd like to try one of those utilities like KerbTray, working on that now - but suspect its only going to tell me what I already know, that Kerberos handshake is failing.

    Could the source of my problem be that my only WSS web application and my moss and wfe server are the same name?

    http://fimserver

     

     

    Monday, March 7, 2011 7:13 PM
  • It should not matter so long as you have the correct accounts and delegation set. Also, the tool I suggested in just another virtual directory in the same web application. Once you add it as a virtual directory, you can access it using http://webappurl/ kerberos.

    Kerbtray would only tell you if Kerberos tickets are issued or not. It would not tell you why it is failing.

    Also, can you confirm which is your SharePoint server ? FIMTEST01 or fimtest02. It looks like there is a failure is test01. If this is your SQL server, check the service account that the SQL service is running on that server.

    Monday, March 7, 2011 7:24 PM
  • The error message was from a client on the domain (not the WSS Server or the SQL server) . Server names changed for security reasons in this post.

    To keep thing simple (in this prototype) , I only have one service user I'm using as the farm admin, the WSS Service user and the SQL Service user. The DB server is started with that account and all those spns are for that account.

    setspn -L mydomain\wssservice produces this.

            MSSQLsvc/sql1.xxxx.xxxx.xxxix.xx:1433
            MSSQLsvc/sql1:1433
            http/wssserver.xxxxad.xxx.xx.xxx
            http/wssserver

     

    Possibly related, time on my servers keeps going back 4 hours after I set it. Would you know what might be causing this?

    Monday, March 7, 2011 7:43 PM
  • This could cause authentication problems if your server are out of sync with AD for more than 5 minutes. I cannot say for certain what could be causing this.
    Monday, March 7, 2011 8:04 PM
  • I've read all the blogs and suggestions.. everything seems perfect but still having problems.

    I tried installing delegconfig on it's own website/port under windows 2008 r2 (w/o kerberos), but getting:

     System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed

    checked the web.config and it appears to have full control.

    on my constant prompts for security and the The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server xxxxx error when attempt to access a sharePoint site under kerberos.. some guesses on why this might be happening based on differences in my configuration:

    - I have spns set for the database and the web server, but I'm using the same service account to run my sharepoint farm, the app pool and the sql instance.. should that matter?

    setspn -l xxxfimad\wssservice
    Registered ServicePrincipalNames for CN=WSSService,CN=Users,DC=xxxfimad,DC=xxx,D
    C=domain,DC=com:
            MSSQLSVC/xxxfimtestsql01:1433
            MSSQLsvc/xxxfimtestsql01.xxxfimad.xxx.domain.com:1433
            http/xxxfimtest02.xxxfimad.xxx.domain.com
            http/xxxfimtest02

     

    - This is a new AD .. but I'm using the existing production DNS

    - when I perform a SETSPN -L WEBSERVERNAME (on my new 2008 rs web server) i see entries like this that I don' t see in my 2003 server:

     RestrictedKrbHost/xxxFIMTEST02

    - I know in production we have clients joined into different OUs that have kerberos problems.  Might there be something in our new test AD that I am missing. the service accout does have trust deligation set. But I noticed in working production, none of the other account kerberos switches are set.

     

     

     

     

     

     

     

    Wednesday, March 9, 2011 5:38 PM
  • Deleg config needs to be added as a virtual directory in the same web application where Kerberos is failing.

    Also, you have mentioned that you have Kernel mode authentication checked. While configuring Kerberos for 2010,itwas mentioned that Kernel mode authentication should be left unchecked for Kerberos to work. Not sure if this is specific to 2010 though.

    Also, I think you might have already looked at this article (http://support.microsoft.com/kb/832769), since you have already performed all the steps mentioned. Just check the stsadm piece of it once.

     

    • Marked as answer by Leoyi Sun Friday, March 11, 2011 8:29 AM
    Wednesday, March 9, 2011 9:23 PM