I am at a customer which has some Kerberos problems in his SharePoint/K2 environment.
Topology:
The Customer has a one SharePoint server with all roles and K2 2003 for Workflows on it and one SQL Server 2005. Windows Server 2003, SQL Server 2005 and SharePoint 2007 are up to date.
Problem:
The customer wants to have Kerberos as auth. protocol and therefore we have done the following steps to enable it:
1. Enable Kerberos for SQL Server
setspn -A MSSQLSvc/sql01.devdemo.de:1433 devdemo\_svc_sql
Restartet SQL Server
Test it with: select auth_scheme, * from sys.dm_exec_connections
Works!
2. Added the URL as a SPN
setspn -A HTTP/intranet.devdemo.de devdemo\_svc_app_intranet
setspn -A HTTP/intranet devdemo\_svc_app_intranet
3. Created a SPN for the Application pool Account
setspn –A….
4. Enable Kerberos in the SharePoint Web Application auth provider
5. Set Service Accounts “Account is trusted for delegation”
I tested with Fiddler if the User now uses Kerberos when he entered the SharePoint Site and he does so…
I already searched for a resolution and some Forum entry’s pointed, that this could be a problem with Cross Forest trust or some that the Client has two SPN’s. Hope that helps a little bit… Attached I have the Netdiag /v file from that server, that shows that everything is fine!?!
Questions:
• Does anyone have seen these errors before?
• Is there any further configuration for K2 or the Server necessary?
• How can I check if the Server does not have two SPN’s?
Kerberos SharePoint / K2 Error: 0xd KDC_ERR_BADOPTION
in Windows Forum — Allgemein
Geschrieben
Hello Community,
I am at a customer which has some Kerberos problems in his SharePoint/K2 environment.
Topology:
The Customer has a one SharePoint server with all roles and K2 2003 for Workflows on it and one SQL Server 2005. Windows Server 2003, SQL Server 2005 and SharePoint 2007 are up to date.
Problem:
The customer wants to have Kerberos as auth. protocol and therefore we have done the following steps to enable it:
1. Enable Kerberos for SQL Server
setspn -A MSSQLSvc/sql01.devdemo.de:1433 devdemo\_svc_sql
Restartet SQL Server
Test it with: select auth_scheme, * from sys.dm_exec_connections
Works!
2. Added the URL as a SPN
setspn -A HTTP/intranet.devdemo.de devdemo\_svc_app_intranet
setspn -A HTTP/intranet devdemo\_svc_app_intranet
3. Created a SPN for the Application pool Account
setspn –A….
4. Enable Kerberos in the SharePoint Web Application auth provider
5. Set Service Accounts “Account is trusted for delegation”
I tested with Fiddler if the User now uses Kerberos when he entered the SharePoint Site and he does so…
But we have still these Errors in the Event Log:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 25.09.2008
Time: 09:24:34
User: N/A
Computer: W01ABBP01
Description:
A Kerberos Error Message was received:
on logon session eu\user
Client Time:
Server Time: 7:24:34.0000 9/25/2008 Z
Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error:
Client Realm:
Client Name:
Server Realm: eu
Server Name: krbtgt/eu
Target Name: krbtgt/eu@eu
Error Text:
File: e
Line: 6c0
Error Data is in record data.
For more information, see Help and Support Center at Events and Errors Message Center: Basic Search.
Data:
0000: 30 75 30 73 a1 03 02 01 0u0s¡...
0008: 0b a2 6c 04 6a 30 68 30 .¢l.j0h0
0010: 09 a0 03 02 01 17 a1 02 . ....¡.
0018: 04 00 30 0a a0 04 02 02 ..0. ...
0020: ff 7b a1 02 04 00 30 09 ÿ{¡...0.
0028: a0 03 02 01 80 a1 02 04 ...¡..
0030: 00 30 21 a0 03 02 01 03 .0! ....
0038: a1 1a 04 18 45 55 2e 54 ¡...EU.T
0040: 41 4b 41 54 41 43 4f 52 AKATACOR
0048: 50 2e 43 4f 4d 6d 61 6c P.COMmal
0050: 73 61 6d 61 30 21 a0 03 sama0! .
0058: 02 01 01 a1 1a 04 18 45 ...¡...E
0060: 55 2e 54 41 4b 41 54 41 U.CUSTOMER
0068: 43 4f 52 50 2e 43 4f 4d CORP.COM
0070: 6d 61 6c 73 61 6d 61 user
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 25.09.2008
Time: 09:22:52
User: N/A
Computer: W01ABBP01
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 7:22:52.0000 9/25/2008 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: EU.TAKATACORP.COM
Server Name: host/w01abbp01.eu.customer.com
Target Name: host/w01abbp01.eu.customer.com@EU.CUSTOMER.COM
Error Text:
File: 9
Line: ae0
Error Data is in record data.
For more information, see Help and Support Center at Events and Errors Message Center: Basic Search.
Data:
0000: 30 15 a1 03 02 01 03 a2 0.¡....¢
0008: 0e 04 0c bb 00 00 c0 00 ...»..À.
0010: 00 00 00 03 00 00 00 .......
I already searched for a resolution and some Forum entry’s pointed, that this could be a problem with Cross Forest trust or some that the Client has two SPN’s. Hope that helps a little bit… Attached I have the Netdiag /v file from that server, that shows that everything is fine!?!
Questions:
• Does anyone have seen these errors before?
• Is there any further configuration for K2 or the Server necessary?
• How can I check if the Server does not have two SPN’s?
Hope someone solved this problem before…
Please contact me directly: andreas.haist@avanade.com
Thanks,
Andreas