Kerberos and MOSS case sensitive?

Warning I am not a Windows AD Security “expert”, I don’t play one on TV, and I did not stay at a Holiday Inn Express last night. 🙂

Ok, so it is 1 am in the morning and I am working on my labs for Professional SharePoint Administration. In the class we do a least-privilege install where we end up with about 8 different accounts. Then we configure the whole farm to use Kerberos authentication. Lots of fun and I really think it is important to understand. It isn’t hard to do, just tedious. Anyway.

I do my setspn.exe for central admin as setspn.exe –A HTTP/server.tpg.local tpg\sp_farm and again as setspn.exe –A HTTP/server tpg\sp_farm no problem. I log onto the server as tpg\sp_farm and open Central Administration. It takes me to http://server:5555 and all is well. I then make Bob Farmer a member of the farm administrator group. Then I hit the sign in as a different user and input tpg\bob. Nothing but errors. What the heck?

After 5 minutes of cussing I see this error message in Event Viewer.

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server.tpg.local. The target name used was HTTP/server.TPG.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (TPG.LOCAL), and the client realm. Please contact your system administrator.

I am the system administrator. Who do I see? Do you see the issue? Apparently the proper FQDN is server.TPG.loca instead of server.tpg.local. Surely that can’t be the problem? Let’s see. I run setspn.exe –A HTTP/server.TPG.local tpg\sp_farm Then I try to login again. It WORKS!!!

So I have read lot of contradicting stuff about if SPN’s are case sensitive or not. I still don’t know. What I do know what setting a new SPN with TPG fixed my problem immediately. If you have 2 cents to add I would love to hear it.

Back to work with me. Now it is 1:30 and I still need to play Halo 3 some more before I go to bed. Good thing the wife is already asleep. 😉

Shane – SharePoint Help


8 thoughts on “Kerberos and MOSS case sensitive?”

  1. SPNs should NOT be case sensitive on the Windows Platform. But it may differ with various implementations, i.e. UNIX implementations.

  2. I’ve been battling with Kerberos and MOSS as well.

    My issues were slightly different, but seeing this post at least partially confirms a suspicion I’ve shared for a long time as well.

    I generally write code in C#, so I’ve gotten into the habit of trying to be case sensitive with most things even when it probably doesn’t matter.

    I ran into a very similar issue while battling the bigger issue – and as a precaution, went ahead and did exactly the same thing – tweaked all of my SPN’s to ensure they were case-correct. Glad I’m not alone in this observation.

  3. RFC4120 specifies the Kerberos 5 protocol.

    Section 5.2.1 defines valid kerberosstring as IA5String, so there is case sensitivity in the protocol.

    Section 6.1 makes it abundantly clear that realm names are case sensitive, even though the domain names underlying them are not.

    Section 6.2.1 deals with the Name of Server Principals and says:

    “Where the name of the host is not case sensitive (for example, with Internet domain names) the name of the host MUST be lowercase.”

    So the SPN *must* be lowercase, but because the protocol allows case, depending on the implementation, you can end up with situations where case matters.

  4. Wow, thanks Shane! I was going NUTS trying to figure out why I wasn’t getting my Kerberos tickets for the MSSP SPNs. Turns out, my admin put in the last part of the SPN (the part that identifies the name of the SSP) in lower case and I was creating the SSP with a name in all caps. Once I recreated the SSP with a name to match the case used by our Actice Directory Admin in the SPNs, I started getting the MSSP tickets. Hooray!

Leave a Reply

Your email address will not be published. Required fields are marked *