The following table describes the authentication defaults that are used based on SPN registration scenarios. As an alternative a user can specify the account name as an SPN.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No. Any additional feedback? Note The information that is provided in this topic also applies to SQL Server configurations that use clustering.
Note The new SPN format doesn't require a port number. Note If an SPN already exists, it must be deleted before it can be reregistered. Submit and view feedback for This product This page.
View all page feedback. In this article. The SPN lookup fails or doesn't map to a correct domain account, virtual account, MSA, or built-in account, or isn't a correct domain account, virtual account, MSA, or built-in account. This just allows Reporting Services to forward the user's credentials to another Service. That service we are forwarding to still needs to be setup properly.
Reporting Services at this point should be good to go though. What SPN do I use and how does it get there? I won't go through all the details again here, so I will make a few assumptions. Error: 0x, state: This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies. The SQL Service is using the sqlservice account. In this case, it is a default instance, so we know the port will be The client in this case being Reporting Services.
Reporting Services is a. Everything looks good on the SPN front. For good measure, you may want to use the setspn tool to search for duplications. It is a new feature of SPN that was added in Windows It is the -X command. It will search the entire domain for duplicates. You should never have a duplicate as it will cause an error.
Looks like we do not have any duplicate SPNs. NOTE: Depending on how you have approached the setup, you may still encounter an error due to the fact that the failed Kerberos requests may still be cached. You can either wait for cache to clear out, or you can restart the services to get it going. I had to recycle SharePoint and Reporting Services for it to start working on my box, as well as log off and back in or just run klist purge on the client.
For your back end server, you may not need to enable delegation. If the hops stop with this server, then we are done and do not need delegation. However, if this backend server will be continuing on to another service, then delegation will be necessary if it will try to forward the windows user credential. However, just the fact that you have a Linked Server doesn't mean that you need delegation. It is dependent on how you configure authentication on the Linked Server.
If "Be made using the login's current security context" is selected for the Linked Server, then we will need to enable delegation for the SQL Service account. There are also other things that may require delegation from SQL. The general rule of thumb is that if anything within SQL is trying to reach out to another resource and will need to send the current user's credentials, than you will need Delegation enabled on the SQL Service Account.
So, that's it. We went through each stop along the communication path SharePoint, RS and SQL , and we validated the settings for each one as we got there.
We also saw that certain things began to work as we enabled items. And, we also looked at when you need to enable delegation or not depending on whether that service needed to reach out to another service. For Reporting Services, had we not been hitting a data source, we may not have needed to enable Delegation on the rsservice account as I showed with the HelloWorld report.
But when we need to access data, we then need to have it if we want to use Kerberos. The other option would be to store the credentials within the data source. Hopefully this helps someone when trying to setup this type of deployment, or any deployment that requires Kerberos in order to work.
Adam W. Trust this user for delegation to any service Kerberos only. Notify me of new posts via email. Enter your email address to subscribe to this blog and receive notifications of new posts by email. Email Address:. Sign me up! Home About Blog Links Calendar. Posts Comments. Support for WSS 3. Like this: Like Loading May 24, at AM.
Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:. Email required Address never made public.
0コメント