Sharepoint, Reporting services and Kerberos authentication
Summary: Troubleshooting kerberos authentication and reporting services integrated into Sharepoint 2007.
system setup – server 1 – Domain controler
server 2 – Sharepoint and Reporting services
server 3 – SQL 2005 server
First of all thanks to this post which contains an excellent walk through for how to enable kerberos authentication for Sharepoint 2007 and also provides lists of which SPN’s to use where.
I had successfully enabled kerberos authentication and was happily browsing around the sharepoint site but still reporting services wasn’t functioning correctly. I decided to check out the security logs on server 2 and could see my authentication requests for browsing the sharepoint site. I was consistently being authenticated using NTLM rather than with kerberos. When I tried to run the report (report.rdl) that I had stored in the sharepoint document library it would generate the following error:
“An unexpected error occurred while connecting to the report server. Verify that the report server is available and configured for SharePoint integrated mode.”
At the same time in the server 2 security logs I would see two entries for the following user: NT AUTHORITY\ANONYMOUS LOGON
After much hair pulling and frustration I ended up doing a Wireshark (was Ethereal) capture and noticed that the SPN being used for the kerberos authentication was incorrect. Instead of being http/intranet it was using http/server2. After a quick dig through DNS I found that the entry for intranet had been added as a CNAME record instead of an A record. After changing it to an A record and after rebooting the pc kerberos started functioning correctly and reporting services started rendering the reports correctly.
It seems that if you use a CNAME record when IE does a DNS lookup and finds a CNAME entry it uses that for authentication rather than using the original site name.