Authentication errors with Kerberos and Windows Server are not unusual. To be able to find these errors, there are a lot of internet pages about Kerberos and Windows Server. Therefore, below are some summarized steps that may help you identify any problems and possibly help you resolve them.
Steps
1 - Check that the application on the Windows Server has all authentication options disabled, except the Windows Authentication option, which must be enabled.
2 - In the Windows Authentication section, click on "Advanced Settings" and make sure that the Negotiate option is available and in the first position of the available list, if you wish to have authentication through NTLM, leave it second in the list.
3 - For performance matters, check the "Use kernel mode" option. This option uses the machine account by default to decrypt Kerberos tickets.
4 - If you use a custom account for your ApplicationPool, check the application configuration regarding WindowsAuthentication in the Configuration Editor. Access the path system.webServer/security/authentication/windowsAuthentication and make sure the UseAppPoolCredentials option is set to True.
5 - After ensuring that your WebServer and apps are well configured to receive Kerberos authentications and the error persists, you must check whether the settings of the account used are correct to authenticate with Kerberos.
6 - Check if the account's SPNs are correctly configured. To list the SPNs of an account you can run the following command in PowerShell from a machine inserted in the same AD domain you are using. It could be the server itself. Run the following command:
setspn -l domain\account_name
The command must return the SPNs configured on the account. Guarantee the account has the correct SPN with the name of the server being used for authentication. E.g. HTTP/myserver.com, SERV/myserv. Also verify that no repeated SPNs occur, as this can cause failures.
If you do not have SPNs configured, you can add SPNs to an AD account with the following command, if you have access to do so:
setspn -s HTTP/myserver.com
7 - If you use a MachineAccount to authenticate with Kerberos on your WebServer, check the SPNs configured in the MachineAccount on the server itself.
setspn -l server_name
If you do not have the correct SPNs, follow the steps to add an SPN in item 6.
I hope these steps helped you solve your problem as they helped me!
For other issues, please comment below, maybe we can help each other.
References
Register a Service Principal Name (SPN) for a report server
Kerberos authentication troubleshooting guidance
Top comments (0)