Logo 
Search:

Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Reporting Service Integrated Mode - Kerberos Authentication Problem

  Asked By: Ronak    Date: Aug 14    Category: Sharepoint    Views: 2483

Reporting Services 2005… to be or not to be, that is the question.

"An unexpected error occurred while connecting to the report server. Verify that the report server is available and configured for SharePoint integrated mode."

Sound familiar?

Ok, so it might be useful to have the details of our environment… setup is as follows

db01 - SQL Sever 2005
web01 - SharePoint Sever 2007 WFE
web02 - SharePoint Server 2007 WFE + Reporting Services
idx01 - SharePoint Server 2007 Index/Search

Patch Level: SQL2005 SP3 and SharePoint SP1 + Infrastructure updates (all on Windows Server 2003 Enterprise)

Right so I know this is a problem with Kerberos. (We are using Kerberos because it’s the only way to solve the double hop problem.)

From my desktop machine (using kerbtray) I can see that a ticket gets issued to me when I access the SharePoint UI (http://web01/sites/start)


HTTP/web01.svr.emea.jpmchase.net
With flags (forwardable, renewable, preauthenticated, OK as delegate)

And if I access the report server URL (http://web02:3333/reportserver)
HTTP/web02.svr.emea.jpmchase.net:3333
With flags (forwardable, renewable, preauthenticated, OK as delegate)

For the above scenario, in the security event login on web01 I see this

Success Audit, 576, Privilege Use, Jason
Success Audit, 540, Logon/logoff, Jason
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Success Audit, 576, Privilege Use, Jason
Success Audit, 540, Logon/logoff, Jason
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos

And the event log in web02 (the report sever)
Success Audit, 576, Privilege Use, Jason
Success Audit, 540, Logon/logoff, Jason
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos

So, it’s all looking good so far.

Right, so now I got into

Central Administration à App Management à Manage Integration Settings.
URL: http://web02.svr.emea.jpmchase.net:3333/reportserver
Mode: Windows Authentication

Central Administration à App Management à Set Server Defaults
Page Loads, an I leave the default settings

Now, usually, if the set server default settings page loads, then it means that ssrs is probably going to work. Alas.

When the user tries to navigate to a report from the UI the dreaded error "An unexpected error occurred while connecting to the report server. Verify that the report server is available and configured for SharePoint integrated mode."

Ok, in the event log of the report server (web02), this is what I see.

Success Audit, 540, Logon/logoff, ANONYMOUS LOGON
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: web01

Success Audit, 538, Logon/logoff, ANONYMOUS LOGON
User Name: ANONYMOUS LOGON
Domain: NT Authority
Logon Type: 3


My guess is that it's some kind of Kerberos delegation error, but we have set all the accounts and computers up for delegation.

That is, all four severs and users than that associated SPN’s have this setting on the “Delegation” tab in AD.
“Trust this computer/user for delegation to any service (Kerberos Only)”

The services are running under the following accounts

The Shared Service centre Is being run by an account called sjnbibmoss-ssrs-pool
The Sharepoint App Pool is being run by an account called sjnbibmoss-pool
The SSRS App Pool is being run by an account called sjnbibmoss-ssrs-pool
The SSRS Service is being by an account called sjnbibmoss-ssrs

(Oh, and the time is the same on all four servers)

Any help would be greatly appreciated!

Some more info from setspn

setspn -L web01
Registered ServicePrincipalNames for CN=WEB01,OU=PROD,OU=Servers,OU=IB-RATES,OU=LDN,OU=UK,DC=EMEA,DC=AD,DC=JPMORGANCHASE,DC=com:
cifs/web01.emea.ad.jpmoranchase.com
cifs/web01
HOST/WEB01
HOST/web01.EMEA.AD.JPMORGANCHASE.COM

setspn -L web02
Registered ServicePrincipalNames for CN=WEB02,OU=PROD,OU=Servers,OU=IB-RATES,OU=LDN,OU=UK,DC=EMEA,DC=AD,DC=JPMORGANCHASE,DC=com:
HOST/WEB02
HOST/web02.EMEA.AD.JPMORGANCHASE.COM

setspn -L emea\sjnbibmoss-pool
Registered ServicePrincipalNames for CN=SJNBIBMOSS-POOL,OU=Service Accounts,DC=E
MEA,DC=AD,DC=JPMORGANCHASE,DC=com:
HTTP/web01.svr.emea.jpmchase.net:2222
HTTP/web01.emea.ad.jpmorganchase.com:2222
HTTP/web01:2222
HTTP/web01.svr.emea.jpmchase.net
HTTP/web01.emea.ad.jpmorganchase.com
HTTP/web01

setspn -L emea\sjnbibmoss-ssrs-pool
Registered ServicePrincipalNames for CN=SJNBIBMOSS-SSRS-POOL,OU=Service Accounts
,DC=EMEA,DC=AD,DC=JPMORGANCHASE,DC=com:
HTTP/web02.svr.emea.jpmchase.net:3333
HTTP/web02:3333

setspn -L emea\sjnbibmoss-ssrs
Registered ServicePrincipalNames for CN=SJNBIBMOSS-SSRS,OU=Service Accounts,DC=E
MEA,DC=AD,DC=JPMORGANCHASE,DC=com:

setspn -L emea\sjnbibmoss-ssp-pool
Registered ServicePrincipalNames for CN=SJNBIBMOSS-SSP-POOL,OU=Service Accounts,
DC=EMEA,DC=AD,DC=JPMORGANCHASE,DC=com:
HTTP/sldntsqgweb01.svr.emea.jpmchase.net:1111
HTTP/sldntsqgweb01.emea.ad.jpmorganchase.com:1111
HTTP/sldntsqgweb01:1111

Share: 

 

1 Answer Found

 
Answer #1    Answered By: Roxanna Hendricks     Answered On: Aug 14

I just went through a similar drill with our report  Server and that exact error. IIRC, our issue was related to issues in our Alternate Access Mappings within MOSS.

A few questions to clarify your issue to see if you're in the same situation we were in:

You're trying to make Reporting services  Reports viewable through SharePoint natively?

If yes, do you have the Reporting services add-in for SharePoint installed?

Also, if that's the case, it might also be helpful to get a look at your Alternate Access Mappings. As I recall, RS only supports access through the Default Zone in SharePoint.

Now, this may or may not be relevant to your issue, but since your post was so beautifully detailed, I figured it would be a shame if it garnered no responses.

 

Related Topics:




 

Related Post