Kerberos and MOSS case sensitive?

Warning I am not a Windows AD Security “expert”, I don’t play one on TV, and I did not stay at a Holiday Inn Express last night. 🙂

Ok, so it is 1 am in the morning and I am working on my labs for Professional SharePoint Administration. In the class we do a least-privilege install where we end up with about 8 different accounts. Then we configure the whole farm to use Kerberos authentication. Lots of fun and I really think it is important to understand. It isn’t hard to do, just tedious. Anyway.

I do my setspn.exe for central admin as setspn.exe –A HTTP/server.tpg.local tpg\sp_farm and again as setspn.exe –A HTTP/server tpg\sp_farm no problem. I log onto the server as tpg\sp_farm and open Central Administration. It takes me to http://server:5555 and all is well. I then make Bob Farmer a member of the farm administrator group. Then I hit the sign in as a different user and input tpg\bob. Nothing but errors. What the heck?

After 5 minutes of cussing I see this error message in Event Viewer.

The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server.tpg.local. The target name used was HTTP/server.TPG.local. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (TPG.LOCAL), and the client realm. Please contact your system administrator.

I am the system administrator. Who do I see? Do you see the issue? Apparently the proper FQDN is server.TPG.loca instead of server.tpg.local. Surely that can’t be the problem? Let’s see. I run setspn.exe –A HTTP/server.TPG.local tpg\sp_farm Then I try to login again. It WORKS!!!

So I have read lot of contradicting stuff about if SPN’s are case sensitive or not. I still don’t know. What I do know what setting a new SPN with TPG fixed my problem immediately. If you have 2 cents to add I would love to hear it.

Back to work with me. Now it is 1:30 and I still need to play Halo 3 some more before I go to bed. Good thing the wife is already asleep. 😉

Shane – SharePoint Help


8 Comments so far

  1.   Sindre Solem on September 27th, 2007          Reply

    SPNs should NOT be case sensitive on the Windows Platform. But it may differ with various implementations, i.e. UNIX implementations.

  2.   Kanwal on September 27th, 2007          Reply

    I haven’t had too much time to be able to devote to Halo 3. How are you liking it?

  3.   jacobmross on September 29th, 2007          Reply

    I’ve been battling with Kerberos and MOSS as well.

    My issues were slightly different, but seeing this post at least partially confirms a suspicion I’ve shared for a long time as well.

    I generally write code in C#, so I’ve gotten into the habit of trying to be case sensitive with most things even when it probably doesn’t matter.

    I ran into a very similar issue while battling the bigger issue – and as a precaution, went ahead and did exactly the same thing – tweaked all of my SPN’s to ensure they were case-correct. Glad I’m not alone in this observation.

  4.   Brian Arkills on October 9th, 2007          Reply

    RFC4120 specifies the Kerberos 5 protocol.

    Section 5.2.1 defines valid kerberosstring as IA5String, so there is case sensitivity in the protocol.

    Section 6.1 makes it abundantly clear that realm names are case sensitive, even though the domain names underlying them are not.

    Section 6.2.1 deals with the Name of Server Principals and says:

    “Where the name of the host is not case sensitive (for example, with Internet domain names) the name of the host MUST be lowercase.”

    So the SPN *must* be lowercase, but because the protocol allows case, depending on the implementation, you can end up with situations where case matters.

  5.   PaulE on June 16th, 2009          Reply

    Wow, thanks Shane! I was going NUTS trying to figure out why I wasn’t getting my Kerberos tickets for the MSSP SPNs. Turns out, my admin put in the last part of the SPN (the part that identifies the name of the SSP) in lower case and I was creating the SSP with a name in all caps. Once I recreated the SSP with a name to match the case used by our Actice Directory Admin in the SPNs, I started getting the MSSP tickets. Hooray!

  6.   Buy Ambien on February 17th, 2010          Reply

    textual despite piercing nato nashik inpatient strongly egan overkill inventor mississippis
    saramartisakis kulturenostro

  7.   McdanielJEANNINE20 on September 5th, 2011          Reply

    Do not cash to buy a car? Worry no more, just because it’s real to take the business loans to solve such problems. Hence get a student loan to buy all you require.

  8.   AveryRobin31 on September 16th, 2011          Reply

    This is good that we are able to receive the credit loans moreover, it opens up new possibilities.

Leave a Reply