For Kerberos to function, the client and server need
to mutually authenticate each other. Not only does the server verify
that the client has access to resources, but the client also needs to
verify that it is talking to the correct server. In the world of
Kerberos, this is accomplished by creating SPNs. Each server service
needs an SPN. Therefore, the SQL Server service needs an SPN, and
SharePoint needs one, too.
Two SPNs need to be set for each
service. One contains the NetBIOS name of the server. The other contains
the fully qualified domain name (FQDN) of the server. This is necessary
because Kerberos will authenticate as both the NetBIOS and FQDN. If one
SPN cannot be found, the configuration is deemed invalid and will
result in authentication errors.
You configure SPNs by either
using a command-line utility called setspn.exe or the ADSIEDIT.msc
snap-in. The following discussion looks at an example where we are
registering an SPN for a SQL Server instance running on a server called
Server1. The example assumes that the SQL Server service runs on the
default port 1433.
The first SPN that needs to be
set is on the SharePoint web application URLs. This enables the passing
of user credentials between servers in the farm. This can also enable
per-user authentication for Excel services and SharePoint list data
sources if they are contained within the same farm:
<MOSS-NetBIOS> is the NetBIOS name of the web front-end server that users will be accessing. For instance, if the SharePoint URL is http://mySite, the NetBIOS name would be mySite.
<MOSS-FQDN> is the FQDN of the server. In the preceding example, the FQDN would be something like mySite.domain.companyname.com.
<AppPoolAccount> is the account that the PPS service application is using for its application pool, specified as Domain\Username:
setspn -A HTTP/<MOSS-NetBIOS> <AppPoolAccount>
setspn -A HTTP/<MOSS-FQDN> <AppPoolAccount>
For
per-user communication with Analysis Services data sources, the
following two SPNs need to be set on all Analysis Services servers that
will be accessible as data sources with per-user authentication:
<AS-NetBIOS> is the NetBIOS name of the Analysis Services data source server that we will be accessing with per-user authentication.
<AS-FQDN> is the FQDN of the Analysis Services server.
<ASAccount>
is the account that the SQL Analysis Services Windows account is
running under on the Analysis Services machine, specified as
Domain\Username:
setspn -A MSOLAPSvc.3/<AS-NetBIOS> <ASAccount>
setspn -A MSOLAPSvc.3/<AS-FQDN> <ASAccount>
For per-user communication with
SQL servers, the following two SPNs need to be set on all SQL servers
to be accessible as data sources with per-user authentication. If SQL
were configured to communicate on a different port, the port number
should be changed from the default of 1433:
<SQLAccount>
is the account that the SQL Server windows service is running under on
the SQL Server machine, specified as Domain\Username:
setspn -A MSSQLSvc/<NetBIOS>:1433 <SQLAccount>
setspn -A MSSQLSvc/<FQDN>:1433 <SQLAccount>
