Logo 
Search:

Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Kerberos issue with SQL Reporting Services 2005 on Server 2003 R2

  Asked By: Akhila    Date: Mar 24    Category: Sharepoint    Views: 1514

apologies if this is the incorrect forum, so moderators, feel free to move it to SQL/IIS/SharePoint as appropriate... [Windows Server Security moderator pushed me this direction]


I have a test environment that I'm trying to get SQL Reporting Services 2005 SP3 working in integrated mode with SharePoint 2007 SP2.

The environment is all in VMWare, running Server 2003 R2 x86 and is layed out like this:


SERVER A:
AD/DNS/DHCP

SERVER B:
SQL 2005 SP3 CU8

SERVER C:
SharePoint 2007 SP2 Dec 09 CU
- Central admin on port 9000
- SSP on port 9001
- MySite on port 81
- Main Content on port 80
SQL Reporting Services 2005 SP3 CU8
- Reporting Service website on port 82

SERVER D:
SharePoint 2007 SP2 Dec 09 CU
- Central admin on port 9000
- SSP on port 9001
- MySite on port 81
- Main Content on port 80
SQL Reporting Services 2005 SP3 CU8
- Reporting Service website on port 82

Through the use of DNS and (SharePoint) Alternate Access Names, SERVER D is used to deliver the Main Content in SharePoint and the Reporting Service website. SERVER C is used to deliver the Central Admin, SSP and MySite.

I've set up SPN's for the SharePoint App Pools, using the following:

[main content] setspn -S HTTP/SERVERA DOMAIN\AppPoolUserA
setspn -S HTTP/SERVERA.FQDN DOMAIN\AppPoolUserA
setspn -S HTTP/SERVERB DOMAIN\AppPoolUserA
setspn -S HTTP/SERVERB.FQDN DOMAIN\AppPoolUserA
[report server]setspn -S HTTP/SERVERA:82 DOMAIN\SQLAppPoolUser
setspn -S HTTP/SERVERA.FQDN:82 DOMAIN\SQLAppPoolUser

However I'm running into the issue where I (err SharePoint) can't authenticate with the Report Server web instance when attempting to view a report in SharePoint.
Remotely I get the generic SharePoint error. If I try from SERVER D then SharePoint reports that it got a 401: Unauthorized error.
If I try to connect (manually in the browser) locally to the Report Server using:
http://SERVERD:82/ReportServer/ - Authentication failes
http://localhost:82/ReportServer/ - I get a list of site collections
http://IP_ADDRESS_OF_SERVERD:82/ReportServer/ - I get a list of site collections.


Connecting remotely produces the same result.

This is similar to this MS KB article (http://support.microsoft.com/kb/871179/)

However, I'm sure I've managed to follow its advice, but it's still not working.

Help! Anyone got any ideas?

Share: 

 

1 Answer Found

 
Answer #1    Answered By: Gina Freeman     Answered On: Mar 24

Turns out it was kerberos  getting confused over ports and DNS aliases.

The resolution was to put the IIS Web App for the Report server  on a host-header (with appropriate DNS alias), update SPNs and SharePoint SSRS config to match and Bobs-your-Uncle... it works.

Broke:
SERVERNAME:80 + INTRANET:80 -> SharePoint [no host-headers]
SERVERNAME:82 + INTRANET:82 -> SSRS [no host-headers]

Working:
SERVERNAME:80 + INTRANET:80 -> SharePoint [no host-headers]
REPORTING:80 -> SSRS [host-header: reporting]

Couple of things to note:

* Even with the Report Server on port 82, the SPN for the report server didn't need port 82 to work
* when no DNS aliases are involved, it "just works". e.g. my test/dev environments are a single WFE with SSRS on port 82, no DNS aliases, kerberos turned on and it all works.

Oh well, when I move SSRS to it's own server (bound to happen) I wont need to change any of the config, just repoint the DNS alias!

 

Related Topics:



Tagged:                  

 

Related Post