Huh? This doesn't make sense. SPNs can include a port number: MSSQL/yourserver:1433 is different to MSSQL/yourserver:30000 for example.
Kerberos works by having the client say to the DC "I wish to connect to this service: http/yourserver" and the KDC hosted by AD looks in the AD database and finds the computer or user account that http/yourserver is registered under: How Kerberos works http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx How SPNs work and how to add them http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx Simple authentication scenario http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx And there's another 5 most posts in my FAQ: http://www.adopenstatic.com/faq/ Cheers Ken -----Original Message----- From: Troy Meyer [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 7:15 AM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues It's the other way around. Kerberos will query for SPNs and then find the machine (object) based on the dns lookup of what is in that SPN. This is why good functional DNS is a HUGE part of Kerberos authentication. Of course make sure you take care of the obvious first: are both service account and machines trusted for delegation. Is all time in sync for ticket distribution/expiration, etc. A good way to test your setup for kerb auth is using the LDP tool to query by SPN and see what it returns. Remember contrary to many bloggers, you need ONLY the FQDN, and you can only have an SPN registered once per IP (NOT PORT). Hope that helps a little, its kind of like that accounting 201 class, once you understand how it all works together it seems like it all makes sense. -Troy From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:13 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues But, from what I understand, Kerberos is going to look up the object based on what I type in (SPPS), so I'm not sure how it would find that SPN record. And to Troy who suggested that I do it based on IP address, I would have the same question. I guess I'll just have to try it and see what happens. ...Tim From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:53 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Ken is the real expert on SPNs (I STILL have that thread saved), but if your theory is true, then couldn't you just add the SPN to the computer object of the Sharepoint FE server? Adsiedit, browse to the server object. Edit SerivcePrincipalName and add the cname there? Don't know what the longer-term effects might be though. For example, if you add another FE server, what works now might become a problem. -Bonnie From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:39 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view. They cannot authenticate with the pop up, no matter what credentials are used. If they cancel the popup, they get in, but have reduced functionality (can't drag & drop, copy, etc). The users affected by it appear to be completely random some with IE6, some with IE7, nothing in common that I can see (all are XPSP2 or 3). Googling for help on this yields a bunch of blog entries that all point to a 2006 MS White paper titled "Understanding and Troubleshooting the Sharepoint Explorer View". From reading this white paper, it sounds like we are getting FPRPC instead of WebDAV. Following the troubleshooting steps, we have confirmed that the Web Client Service is running, the content unencrypted over port 80. Manually adding the site to the local intranet zone makes no difference (it shows unknown zone/mixed by default). So, does anyone know how to force IE to use WebDAV on a Sharepoint site? ...Tim ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
