locked
Login Popup on Additional SharePoint 2007 Web Front End RRS feed

  • Question

  • I've recently joined a third front end web server to our existing SP 2007 SP2 farm, but when I try to access SharePoint using that server, I'm prompted with 3 login boxes which I can't resolve even if I'm using admin credentials. After the 3 attempts, I'm sent to a 'Not Authorized' page. After joining the new server, I verified no missing files in the 12-hive and compared the web.config file to the existing web front ends. One important detail is I'm running Kerberos for authentication, but the SetSPN commands were run as needed. Any ideas?

    Updated:

    I believe I've discovered the error is Kerberos related, but I'm not sure how to resolve. Here is the error:

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server servername. The target name used was HTTP/deleted.deleted.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is



    • Edited by bmwatson Friday, February 17, 2012 10:45 PM
    Friday, February 17, 2012 10:35 PM

All replies

  • Hi,

    Have you compared the SET SPN commands executed on this server with other server?

    Have you found any discrepancy?


    Thanks, Rahul Rashu

    Sunday, February 19, 2012 5:47 PM
  • Hi Rahul,

    Good question....yes I have done this and the SPNs are the same as our other two web servers. We have SPN HTTP setup on the new server using the same farm account.

    The only difference is the old two web servers are running IIS6 and the new web server is running IIS7.5. My understanding is because of this, IIS7.5 requires additional SPN commands for MSSP, which are setup only on the new web server. Here is an idea of the MSSP command I ran:

    Setspn.exe -A "MSSP/webserver:56737/Main Shared Services" domain\SPssp

    Thanks for taking a look at this!

    Monday, February 20, 2012 4:51 PM