Kerberos and MOSS case sensitive?

Warning I am not a Windows AD Security “expert”, I don’t play one on TV, and I did not stay at a Holiday Inn Express last night. 🙂

Ok, so it is 1 am in the morning and I am working on my labs for Professional SharePoint Administration. In the class we do a least-privilege install where we end up with about 8 different accounts. Then we configure the whole farm to use Kerberos authentication. Lots of fun and I really think it is important to understand. It isn’t hard to do, just tedious. Anyway.

I do my setspn.exe for central admin as setspn.exe –A HTTP/server.tpg.local tpg\sp_farm and again as setspn.exe –A HTTP/server tpg\sp_farm no problem. I log onto the server as tpg\sp_farm and open Central Administration. It takes me to http://server:5555 and all is well. I then make Bob Farmer a member of the farm administrator group. Then I hit the sign in as a different user and input tpg\bob. Nothing but errors. What the heck?

After 5 minutes of cussing I see this error message in Event Viewer.

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server.tpg.local. The target name used was HTTP/server.TPG.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (TPG.LOCAL), and the client realm. Please contact your system administrator.

I am the system administrator. Who do I see? Do you see the issue? Apparently the proper FQDN is server.TPG.loca instead of server.tpg.local. Surely that can’t be the problem? Let’s see. I run setspn.exe –A HTTP/server.TPG.local tpg\sp_farm Then I try to login again. It WORKS!!!

So I have read lot of contradicting stuff about if SPN’s are case sensitive or not. I still don’t know. What I do know what setting a new SPN with TPG fixed my problem immediately. If you have 2 cents to add I would love to hear it.

Back to work with me. Now it is 1:30 and I still need to play Halo 3 some more before I go to bed. Good thing the wife is already asleep. 😉

Shane – SharePoint Help


Upcoming Speaking: Vegas & Barcelona

I got a very nice email from someone today who appreciated my blog because I don’t do much self promotion. That actually reminded me I needed to post this. So sorry Amanda! 😉

November 6, 2007 – I will be speaking at Dev Connections hosted at the Mandalay Bay in Vegas . I believe I am doing two admin talks and the possibly a governance talk also. Should be fun. Joel Oleson and I were supposed to do them together but I believe he has a scheduling conflict so it will be just me. If you make the show be sure to say hi. I will either be on stage or at a poker table somewhere.

November 13 – 16 2007 – The following week I get to go international. I will be flying to Barcelona to speak at IT Forum which is Europe’s Tech Ed. How cool is that? There I will be doing a talk on Upgrades and then one on Capacity and Performance. This will be awesome. I will get to meet lots of new people and spread the SharePoint love across the pond. If you will be there drop me a note. I know Joel and Todd Klindt will be there. I think I am dragging Joel on stage for the upgrade talk again.

I now return you to your normal technical content!

Shane – SharePoint Help

Book: Essential SharePoint 2007

If you are looking for the perfect book to give those non-technical people such as Business Decision Makers (BDM) or you need more help on the planning/design side of your SharePoint project this is the book for you.

One of the few books devoted to MOSS that actually covers governance, roll out, goals, and the other “soft” topics. After it gets you through the reasons for and direction of your SharePoint project then at a medium level it covers some of the key features you need to plan for. I really feel you could hand this your non technical leaders and get them up to speed in short order.

Great book! Get your copy here.

Shane – SharePoint Help