MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

Kerberos Issues

  Asked By: Willis    Date: Apr 28    Category: MOSS    Views: 596

Technical question:

This weekend I went live with our MOSS 2007 upgrade.

(Basically: "No virtual test environment survives contact with production

Anyway, after testing in a full mockup of our production environment, quite a
few things didn't work like they should have.

I eventually got to the point of turning on Kerberos, and I followed the EXACT
steps that I used the VMWare copy of our production environment.

The ONLY server that was different in production was the SQL 2000 Server.

Does anyone have ANY idea as to why users can not log on when I turn Kerberos

(That's the symptom.)

I thought that MOSS would fall back to NTLM, but when I turn Kerberos on after
setting up all of my SPNs and configuring the various accounts / servers for
delegation, users can not logon to the MOSS Server.



2 Answers Found

Answer #1    Answered By: Norman Santos     Answered On: Apr 28

I've played with Kerberos before, bloody ugly stuff.

You can turn on some additional diag which might get you some more info.

Edit Reg


If not already there Add in LogLevel (DWORD) = 1

1 = enabled

0 = disabled

This will log in to the system event log under the source Kerberos

Look for errors like KDC_ERR_S_PRINCIPAL_UNKNOWN

This means that you are missing the correct SPN's.

Maybe the logs can give you more info.

(you might need to reboot after applying this reg key, its been a long
time since I played with this so I cant remember when it takes effect)

What tricked me the first time was my computer name was the same as the
service account name.

This is bad for Kerberos when trying to set SPN's as it can get
confused between DOMAIN\moss$ (the computer account)

And DOMAIN\moss (your service account).

Answer #2    Answered By: Walter Stone     Answered On: Apr 28

My computer name IS the same as the MOSS name...

I'll try this first thing in the AM and get back to the discussion with the

Didn't find what you were looking for? Find more on Kerberos Issues Or get search suggestion and latest updates.