Home » .Net Framework

Claims won't take Kerberos

So, we want to use Claims authentication and Kerberos when creating web applications in SharePoint 2010. Now this is easy to set up in central admin, but we struggle doing it using powershell:

New-SPWebApplication -Name Testing123 -ApplicationPool SharePointApplicationAppPool -AuthenticationProvider (New-SPAuthenticationProvider) -AuthenticationMethod Kerberos

results in CLAIMS using NTLM.

It seems like -AuthenticationProvider (New-SPAuthenticationProvider) is forcing NTLM, and -AuthenticationMethod Kerberos is not taken into consideration. And the New-SPAuthenticationProvider does not have an -AuthenticationMethod parameter, so how can we get Claims with Kerberos?

Any tips appreciated!


4 Answers Found


Answer 2

We have been able to reproduce this internally.  If anything more comes up on this I will respond on this thread.

Answer 3

Great, thanks Fred. For now we are changing to Kerberos manually after the deployment scripts are done.

Answer 4

One of our SEE's found a workaround for this. Create an instance of SPAuthenticationProvider, set property DisableKerberos to false and pass this instance in AuthenticationProvider (note that once claims/kerbero you cannot come back to NTLM). In the example below we are using your same command with a slight difference:

> $ap = (New-SPAuthenticationProvider)
> $ap | fl

DisplayName                        : Windows Authentication
ClaimProviderName                  : AD
AllowAnonymous                     : False
UseBasicAuthentication             : False
DisableKerberos                    : True          <<<< Note that Kerberos is disabled by default
UseWindowsIntegratedAuthentication : True
AuthenticationRedirectionUrl       : /_windows/default.aspx
UpgradedPersistedProperties        :

> $ap.DisableKerberos = $false

> $ap | fl *

DisplayName                        : Windows Authentication
ClaimProviderName                  : AD
AllowAnonymous                     : False
UseBasicAuthentication             : False
DisableKerberos                    : False   <<< Now I made sure that Kerberos is enabled
UseWindowsIntegratedAuthentication : True
AuthenticationRedirectionUrl       : /_windows/default.aspx
UpgradedPersistedProperties        : {}

> New-SPWebApplication -Name Testing123 -ApplicationPool SharePointApplicationAppPool -AuthenticationProvider $ap -AuthenticationMethod Kerberos

In short you can also do something like this in just one line:
> New-SPWebApplication -Name Testing123 -ApplicationPool SharePointApplicationAppPool -AuthenticationProvider (New-SPAuthenticationProvider -DisableKerberos:$false) -AuthenticationMethod Kerberos

Please let me know if it works for you. It worked well in our environment.

We will work to make sure we document this information in a KB.



The appropriate spns and delegation has been set for kerberos for the site as well as the services/accounts. Sql, reporting service and sharepoint sites are each on seperate servers. 

Seems by using claims I'm actually going backwards in functionality in reporting services in intergrated mode. Ive read several technet articles that explain what claims and srss 2008 do, but not the exact method of setup........


What should the Authentication Mode be set to in the central administration->Reporting Services Integration: Windows Auth or Trusted Account when running claims?

Is it possible to use windows intergrated mode to allow the currently logged in user to view/run the report? What is the configuration for the datasource with claims and kerberos?

All the configs I try complain about the srss not having windows integrated mode on or is using a trusted account when i try to view a report. So far I've only got my reports to work by storing my credentials as windows credentials in the datasource. Not acceptable.



Hi All,

I want to create an app that replaces the existing paper-form based expenses reimbursement process with a SharePoint solution.

I have created a content type called an Expense Form Set ( it includes an excel sheet for the user to enter expenses and also includes any digitised receipts associated with the claim )

The claimant can create an expense form set in an Expense claims document library and the Expense Claims Approver is notified, they approve or reject and reimburse if necessary.

however there is a stumbling block.

How do we prevent anyone else other than the person who submitted the claim and the person who needs to approve/reject from seeing the expense claim.

Is turning on content approval the only way to do this.

If so then the act of approving the content will make it visible to anyone else who has view or contribute access to the library.

thanks and regards,



I am looking for solution to add my custom claims to what ADFS will send to relying party, by default it takes whatever AD has published, now I want to add few more, these custom claims might be taken from one of my application + Database, so I want to write some code in order to prepare the claims and then append it to outgoing claims.

I looked at two solutions,

1. Custom Attribute store (https://connect.microsoft.com/site642/Downloads/DownloadDetails.aspx?DownloadID=18933): I did write this DLL and tried all the steps, now I don't see how to use this store, if I try to edit claims rule I don't see this as a store appearing there in options, I also don't think I understood how this works.

Is Custom Attribute store meant to add/edit/filter the default outgoing claims, Or is it a full store as an option to AD/LDAP/SQL ??

2. Claims Transform (http://msdn.microsoft.com/en-us/library/bb736228%28VS.85%29.aspx) : I also tried this, but deployment steps mention trust policy of ADFS MMC snapin, I am using ADFS 2.0 where I don't see this trust policy option.

So my question is, how am I supposed to get this working, are these two options correct for me ?? I just want to add a new claim called MyCustomClaim which has a value which I want to take from my application, or simply from registry, how should I do this ?



I am trying to write a simple application that performs Kerberos authentication (no mutual authentication for now).

The operating system is Windows server 2003, standard edition.

I have setup Active directory and created an SPN using setspn tool.

AcquireCredentialsHandle returns SEC_E_OK both on client and on server.

InitializeSecurityContext on client side returns SEC_E_OK.

AcceptSecurityContext on server side returns SEC_E_LOGON_DENIED.

I am sure there's nothing wrong in my code since the same behaviour I see when using the sample application from the following MSDN article: http://msdn.microsoft.com/en-us/magazine/dvdarchive/bb985043.aspx

So I guess there is something wrong in my setup. But I can't find out what. Maybe I have missed something in SPN setup? Any help is appreciated.


Regards, David.


I have seen lots of traffic on this issue. Using the various methods and ideas presented, I’m able to modify the error message at best. Here is the setup as I understand it:

WCF hosted in IIS using Kerberos. Site is set to NOT allow anonymous access, ONLY windows integrated security.

I CAN browse the site to view the wsdl (?wsdl)

I CAN use Silverlight (honest) to access the service, when I add a service reference to the Silverlight app, I keep the defaulted configuration

I CANNOT run the SAME service using an ASP.NET web site.

I’m using the same development machine for both tests.

Server config file:




<binding name="basicHttpBinding_">

<security mode="TransportCredentialOnly">

<transport clientCredentialType="Windows" />






<service behaviorConfiguration="WcfService.Service1Behavior"


<clear />

<endpoint address="http://server/TestWCF/service1.svc" binding="basicHttpBinding"

bindingConfiguration="basicHttpBinding_" contract="WcfService.IService1" />





<behavior name="WcfService.Service1Behavior">

<!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->

<serviceMetadata httpGetEnabled="true"/>

<!-- To receive exception details in faults for debugging purposes, set the value below to true.Set to false before deployment to avoid disclosing exception information -->

<serviceDebug includeExceptionDetailInFaults="false"/>





Working Silverlight Config:






<securitymode="TransportCredentialOnly" />







name="BasicHttpBinding_IService1" />



(I’ve tried the above config and various others including the one below for the:)

ASP.NET web site















<securitymode="TransportCredentialOnly" >









name="BasicHttpBinding_IService1"behaviorConfiguration="clientEndpointBehavior" >


<servicePrincipalNamevalue="spn" />





When I run the silverlight page I can access the method. When I run the asp.net site I get this error:


An error (The request was canceled) occurred while transmitting data over the HTTP channel.

If I remove the identity bit I get this error:


The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate <long hash>

Any thoughts?


I have a WCF web.config, its actually from SharePoint but this is still a WCF question. I need to allow Kerberos on it. its currently living inside a virtual directory of an IIS web site. It will need to run as a domain user. Any help would be totally appreciated.

just to preach to the choir, I think I need to change the authenticationMode from IssuedTokenOverTransport to something like Kerberos or KerberosOverTransport (don't know difference). I also think I need to put in an identity inside the endpoint with a userprinciplename. But when I change the web.config all I do is break the thing.



 <?xml version="1.0" encoding="utf-8"?>
    <section name="uri" type="System.Configuration.UriSection, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
    <sectionGroup name="Bpm">
      <section name="CustomDataSourceProviders" type="System.Configuration.DictionarySectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <section name="FCODaoProviders" type="System.Configuration.DictionarySectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <section name="CustomParameterDataProviders" type="System.Configuration.DictionarySectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      <section name="CustomViewTransforms" type="System.Configuration.DictionarySectionHandler, System, Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<system.diagnostics> <sources> <source name="System.ServiceModel" switchValue="All" propagateActivity="true"> <listeners> <add name="traceListener" type="System.Diagnostics.XmlWriterTraceListener" initializeData= "c:\WCFLog\Traces.svclog" /> </listeners> </source> </sources> </system.diagnostics>

    <idn enabled="All" />
 <httpRuntime maxRequestLength="110000" />
      <service name="Microsoft.PerformancePoint.Scorecards.BIMonitoringServiceApplication">
        <endpoint address="" binding="customBinding" bindingConfiguration="PPS_SS_HttpBinding" behaviorConfiguration="MultiThreadedDispatcherEndpointBehavior" contract="Microsoft.PerformancePoint.Scorecards.IBIMonitoringServiceApplication" />
        <endpoint address="" binding="customBinding" bindingConfiguration="PPS_SS_HttpsBinding" behaviorConfiguration="MultiThreadedDispatcherEndpointBehavior" contract="Microsoft.PerformancePoint.Scorecards.IBIMonitoringServiceApplication" />

        <binding name="PPS_SS_HttpBinding">
          <security authenticationMode="IssuedTokenOverTransport" allowInsecureTransport="true" />
            <readerQuotas maxStringContentLength="100000000" maxNameTableCharCount="32768" maxBytesPerRead="8192" maxArrayLength="2097152" maxDepth="64" />
          <httpTransport maxReceivedMessageSize="100000000" authenticationScheme="Anonymous" useDefaultWebProxy="false" />
        <binding name="PPS_SS_HttpsBinding">
          <security authenticationMode="IssuedTokenOverTransport" />
            <readerQuotas maxStringContentLength="100000000" maxNameTableCharCount="32768" maxBytesPerRead="8192" maxArrayLength="2097152" maxDepth="64" />
          <httpsTransport maxReceivedMessageSize="100000000" authenticationScheme="Anonymous" useDefaultWebProxy="false" />

        <behavior name="MultiThreadedDispatcherEndpointBehavior">
          <dispatcherSynchronization maxPendingReceives="10" />
        <anonymousAuthentication enabled="true" />
        <windowsAuthentication enabled="true" />
        <requestLimits maxAllowedContentLength="110000000" />
      <add key="ADOMD.NET" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.AdomdDataSourceProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ODBC" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.OdbcDataSourceProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ExcelWorkbook" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.ExcelDataSourceProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ExcelServicesWorkbook" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.ExcelServicesDataSourceProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="SqlTabularDataSource" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.SqlTabularDataSourceProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="SpListDataSource" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.SpListDataSourceProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ScorecardSPDao" value="Microsoft.PerformancePoint.Scorecards.Store.Dao.ScorecardSPDao, Microsoft.PerformancePoint.Scorecards.Store, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="KpiSPDao" value="Microsoft.PerformancePoint.Scorecards.Store.Dao.KpiSPDao, Microsoft.PerformancePoint.Scorecards.Store, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ReportViewSPDao" value="Microsoft.PerformancePoint.Scorecards.Store.Dao.ReportViewSPDao, Microsoft.PerformancePoint.Scorecards.Store, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="DataSourceSPDao" value="Microsoft.PerformancePoint.Scorecards.Store.Dao.DataSourceSPDao, Microsoft.PerformancePoint.Scorecards.Store, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="IndicatorSPDao" value="Microsoft.PerformancePoint.Scorecards.Store.Dao.IndicatorSPDao, Microsoft.PerformancePoint.Scorecards.Store, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="FilterSPDao" value="Microsoft.PerformancePoint.Scorecards.Store.Dao.FilterSPDao, Microsoft.PerformancePoint.Scorecards.Store, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="DashboardSPDao" value="Microsoft.PerformancePoint.Scorecards.Store.Dao.DashboardSPDao, Microsoft.PerformancePoint.Scorecards.Store, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="TempReportViewDao" value="Microsoft.PerformancePoint.Scorecards.Server.Dao.TempReportViewDao, Microsoft.PerformancePoint.Scorecards.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="MemberParameterDataProvider" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.MemberParameterDataProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="NamedSetParameterDataProvider" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.NamedSetParameterDataProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="MDXParameterDataProvider" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.MDXParameterDataProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="StaticList" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.ParameterStaticListProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ParameterScorecardCellProvider" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.ParameterScorecardCellProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ParameterScorecardColumnMemberProvider" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.ParameterScorecardColumnMemberProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ParameterScorecardKpiProvider" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.ParameterScorecardKpiProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ParameterScorecardRowMemberProvider" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.ParameterScorecardRowMemberProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="TimeIntelligenceProvider" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.TimeIntelligenceProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="TimeIntelligencePostFormulaProvider" value="Microsoft.PerformancePoint.Scorecards.DataSourceProviders.TimeIntelligencePostFormulaProvider, Microsoft.PerformancePoint.Scorecards.DataSourceProviders.Standard, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ExpandNamedSets" value="Microsoft.PerformancePoint.Scorecards.GridViewTransforms.ExpandNamedSets, Microsoft.PerformancePoint.Scorecards.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="RowsColumnsFilterTransform" value="Microsoft.PerformancePoint.Scorecards.GridViewTransforms.RowsColumnsFilterTransform, Microsoft.PerformancePoint.Scorecards.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="AnnotationTransform" value="Microsoft.PerformancePoint.Scorecards.GridViewTransforms.AnnotationTransform, Microsoft.PerformancePoint.Scorecards.Server, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="UpdateDisplayText" value="Microsoft.PerformancePoint.Scorecards.GridViewTransforms.UpdateDisplayText, Microsoft.PerformancePoint.Scorecards.Client, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ComputeRollups" value="Microsoft.PerformancePoint.Scorecards.GridViewTransforms.ComputeRollups, Microsoft.PerformancePoint.Scorecards.Client, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <add key="ComputeAggregations" value="Microsoft.PerformancePoint.Scorecards.GridViewTransforms.ComputeAggregations, Microsoft.PerformancePoint.Scorecards.Client, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <!-- FilterEmptyRows should allways be the last transform in this list -->
      <add key="FilterEmptyRows" value="Microsoft.PerformancePoint.Scorecards.GridViewTransforms.FilterEmptyRows, Microsoft.PerformancePoint.Scorecards.Client, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
      <!-- add key="ApplyDefaultFormatInfo" value="Microsoft.PerformancePoint.Scorecards.GridViewTransforms.ApplyDefaultFormatInfo, Microsoft.PerformancePoint.Scorecards.Client, Version=, Culture=neutral, PublicKeyToken=71e9bce111e9429c"/-->


Installed all the components.  I am getting this problem.  Admin says that had to enable Kerberos for Workflow; and this problem possibly because of kerberos.  Any ideas?

It is straight 401 error message; no 401.1 etc.,  MDS is installed on different port.  Other ports are running fine.

I tried enabling/disabling Anonymous, windows Authentications; Error message it is returning is little different, but nothing is working.  Thanks,


Hi Guys,

I'm in desperate need of a Kerberos Guru! I've been wracking my brains trying to get a Windows 7 client machine to authenticate against a Linux-based Kerberos 5 KDC server.

I have setup the following on the Arch Linux server:

ank addpol hosts ank addpol users ank -policy users tom@TNET.LOC ank -policy hosts -pw MYPASSWORDHERE host/wdesk3.tnet.loc ACL file just looks like this: *@TNET.LOC *

I have setup the following on the Windows 7 client:

A local user called tom with a password which differs to the kerberos account (so I can prove which account Windows is logging in with) ksetup /SetRealm TNET.LOC ksetup /AddKdc dc1.tnet.loc ksetup /SetComputerPassword MYPASSWORDHERE ksetup /MapUser * * Rebooted the client

However, when I attempt to logon to my realm, I get the error: "The user name or password is incorrect".

The guys at MIT suggested that I try to run "runas /netonly /user:tom@TNET.LOC cmd.exe", **which works absolutely fine**, however when I remove the '/netonly' flag (they tell me this is closer to what the actual login procedure does); I get the exact same error as I did on login: "login failure: the user name or password is incorrect".

Is there anybody who can tell me if MIT's Kerberos 5 still works with Windows? Is there a certain type of encryption method I am supposed to be using? Can anybody help me get this working? Has anybody seen this working before?

Any help at all would be most greatly appreciated!

Many Thanks in advance,


I am following this article http://blogs.msdn.com/b/russmax/archive/2009/10/20/configuring-kerberos-authentication-in-sharepoint-2010-part-1.aspx

Was was getting challenged when accessing from a remote computer to the site http://s2010/sites/test, after I followed the article, I could access site remotely without getting challenged.

However, I also have a DNS entry and matching host header on the site for sp2010.company.com, and I ran a setspn for for this as well, but this site challenges for auth, and will not work, after 3 times, it goes to blank screen.

Any ideas?


What are the pros and cons of Kerberos v's NTLM authentication when creating new site collections?

All the best


I'm trying to establish Kerberos connection between a named SQL Server 2008 (not R2) Instance and a client.

This are the names:

SQL Server Computer Name: labvm01

Instance Name: SP2010

SQL Server Service Account : lab\sqlserveradmin

Domain: lab.vz.ch

According to the Microsoft Guideline (found here: http://msdn.microsoft.com/en-us/library/ms191153.aspx ) the commands for creating the SPN are so:

setspn -s MSSQLSvc\labvm01.lab.vz.ch:SP2010 lab\sqlserveradmin

setspn -s MSSQLSvc\labvm01:SP2010 lab\sqlserveradmin

Strangely the default instance works as expected (setspn -s MSSQLSvc\labvm01.lab.vz.ch:1433). I tried also to configure a fixed port for the named instance (Port 1400) and tried it with both variants -> MSSQLSvc\labvm01\SP2010:1400  and MSSQLSvc\labvm01:1400. But here also nothing worked.


Hi all

I think I have put myself in a big problem by using NTLM authentication installing SharePoint server 2010, and creating web application with NTLM.

The case is that this application now has a lot of custom development, and now have people developing business intelligence solutions, so I can not scrap it all and start from scratch. Dynamic Excel sheets with pivot tables give error messages and don't refresh data.  I read that I might have to use Kerberos to solve problems regarding this and Excel services.

Any ideas how I can get out out of this quagmire? :-)


This whitepaper titled Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products is 175 pages long. It has sections such as Scenario 2 - Kerberos Authentication for SQL OLTP. Scenario 3 - Kerberos Authentication for SQL Analysis Services. Scenario 4 - Identity Delegation for SQL Reporting Services. It's available at http://technet.microsoft.com/en-us/library/ff829837.aspx 

I built and configured samba-4.0.0alpha11 on a RedHat Enterprise
Linux 5 system to run as a domain controller in a Windows 2008
Server R2 domain. While looking at the various Kerberos exchanges
I discovered Windows 2008 R2 did not follow RFC 4757 for the TGS-REP
exchange, and yet was able to successfully in interact with the
SAMBA system. I would like to understand what is happening.

- Mark



   we have configured sharepoint 2010 with kerberos authentication. Now the central administration website works fine when accessed with the IP address and portnumber as the url i.e. but the site is not accessed when the host header name is used i.e. using http://mysharepointCA:80/ . We have checked the event log and the following errors has been recorded

Error, Event ID: 4, Category: None
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server wss1$. The target name used was HTTP/intranet.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.LOCAL) is different from the client domain (DOMAIN.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

We are stuck here and have no idea how to proceed further to resolve this issue. the installation and configuration is all on new servers and not an upgradation from MOSS2007.

if someone has been through such issues and has solved kindly help us. your help is appreciated.




I have installed SQL Server and SharePoint server 2010, while configuring I have setup Kerberos authentication and added spn for sctive directory service account like HTTP/server.domain.com:portnumber of central admin. If I browse the central admin site it is not showing up and getting this error under windows logs -> system. If I am trying to browse with IP address: portnumber I am able to see the central admin site and the authentication is set to NTLM. Please let me know If I am doing nything wrong or If you have any step by step documentation for setting up kerberos for sharepoint 2010.

Error message:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server 'accountname'. The target name used was HTTP/server.domain.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (domain.COM) is different from the client domain (domain.com), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.






We are using MOSS 2007 and SQL 2005 (64) SP3.Yesterday users couldn't connect to our SQL server that host sharepoint databases. Following SSPI authentication errors were logged in SQL Logs. SQL is using kerberos authentication and SPN has been registered in AD.Users were able to connect after the server reboot.

SSPI handshake failed with error code 0x80090311 while establishing a connection with integrated security; the connection has been closed.
Login failed for user ''. The user is not associated with a trusted SQL Server connection.

 Following errors are also logged in event logs.

 "The kerberos subsystem encountered a PAC verification failure. This indicates that the PAC from the client xxxxxx in realm XXX.XXXXXXXX.COM had a PAC which failed to verify or was modified. Contact your system administrator."

I could not find any other AD authentication errors or netlogon errors during that time. Sysadmins confirmed that AD was up and nothing was changed.

Please help.



Attempting to create a dashboard data source to Analysis Services 2008 R2. Works fine with Unattended Service Account but not with Per-user Identity (suspect Kerberos issue). New data source to SQL Server 2008 R2 on same failover cluster works fine with Per-user Identity. User account is Server Administrator on AS and SQL instances.

Have constrained delegation setup on PPS service account, CWTS service account (both with SQL + AS SPNs).

SPN for AS: MSOLAPSVC.3/ASInstanceNetworkName.mydomain.com:AS01 where AS01 is the name of the instance

SharePoint 2010 Server Enterprise + SQL Server Reporting Services 2008 R2 EE + PerformancePoint Services on one server. Databases on another. All Windows Server 2008 R2 x64


Hi guys,

I'm pretty new in this community so please ease on the criticizing.Thanks.Now about the issue that I'm experiencing.......

I've been trying for months to setup a Kerberos SSO(Single Sign On) authentication mechanism for accessing my web server.I have created a slide show with screenshots about my setup(every step that I have made). Unfortunetly in this forums you cannot attach files so I will do my best in explaining the problem.

I have Windows Server 2008 as KDC and DC,my Apache web server is on Debian 5.0 Linux box and I have clients(XP,Vista,Windows 7) in my virtual network.

Everything works great,I have been using Achim's guide on kerberizing Apache from www.grolmsnet.de/kerbtut/ but without the RC4 mechanism.Instead,I have been using AES256-SHA1 encryption.The only problem is that when I try to access my page,the IE gives me "Authorization Required" and the Apache error log file send few lines.The last one finishes with "Unspecified GSS failure. (Key table entry not found)".I can verify that my Kerberos configuration file>krb5.conf is producing AES256-SHA1(and that Server 2008 supports it).But when I run the kerbtray on my client(Windows),it shows that all of the tickets are RC4 instead of AES256-SHA1.Is there a fix,or some solution for this problem?-Thank you in advance.P.S If you like to see the slideshow please write my on my email : zdravcee@yahoo.com

Best Regards.


I realize this is probably going to be one of those vague questions that I am not going to get much help on here, but I thought I'd give this a shot before we go the MS Incident route on monday.

We have tried to setup Kerberos between MOSS 2007 AND SSAS 2005 to no avail.  We have been through the knowledge base articles outlining the setup multiple times with all the experts on MOSS and Security here where I work.  We've used other materials we have on kerberos here.  But the end result is that the double hop is not happening.  We are trying to connect three ways: excel services, ssrs 2005 in integrated mode, and Sharepoint KPI's (using analysis services).  In every case the connection is not happening.

Other details are that the ssrs integrated mode seems to be setup right because I do get a report (albiet all it has is a connection error message).  Excel services works fine if I use the unattended service account, but when I switch the odc file to windows (should cause kerberos to kick in) it fails.  When I try to add a kpi to the kpi list it can't retrieve a list of kpi's from ssas.

In all cases I am the user trying to perform these operations, and I have total access to the cube -- I'm the developer.  I have no problems connecting to the cube directly through excel, so the security at that end passes the smell test.

Can anyone help us out with some good troubleshooting steps?




<< Previous      Next >>

Microsoft   |   Windows   |   Visual Studio   |   Sharepoint   |   Azure