RE: Sharepoint Explorer View Issues
We did this, and it worked perfectly. Thanks for the education and your help on this. FYI, once we got Kerberos working properly, the explorer view problem went away without having to upgrade to Vista. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 7:29 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues What account is your Sharepoint application running under? That is the account (whether it be computer or user) that you'd register the http/spps and http/spps.yourdomain.whatever SPNs under (unless you are using IIS 7) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 5:39 AM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view. They cannot authenticate with the pop up, no matter what credentials are used. If they cancel the popup, they get in, but have reduced functionality (can't drag drop, copy, etc). The users affected by it appear to be completely random some with IE6, some with IE7, nothing in common that I can see (all are XPSP2 or 3). Googling for help on this yields a bunch of blog entries that all point to a 2006 MS White paper titled Understanding and Troubleshooting the Sharepoint Explorer View. From reading this white paper, it sounds like we are getting FPRPC instead of WebDAV. Following the troubleshooting steps, we have confirmed that the Web Client Service is running, the content unencrypted over port 80. Manually adding the site to the local intranet zone makes no difference (it shows unknown zone/mixed by default). So, does anyone know how to force IE to use WebDAV on a Sharepoint site? ...Tim ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Sharepoint Explorer View Issues
Hi Ken, Great info! Thanks! Tom Thomas W. Shinder, M.D. || Sr. Consultant / Technical Writer [EMAIL PROTECTED] || www.prowessconsulting.com Mobile: Pending || Phone: Pending || Fax (206) 443.1119 Blog: http://blogs.isaserver.org/shinder || Books: http://tinyurl.com/2gpoo8 PROWESS CONSULTING || documentation || integration || virtualization -Original Message- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 9:32 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Huh? This doesn't make sense. SPNs can include a port number: MSSQL/yourserver:1433 is different to MSSQL/yourserver:3 for example. Kerberos works by having the client say to the DC I wish to connect to this service: http/yourserver and the KDC hosted by AD looks in the AD database and finds the computer or user account that http/yourserver is registered under: How Kerberos works http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx How SPNs work and how to add them http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx Simple authentication scenario http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx And there's another 5 most posts in my FAQ: http://www.adopenstatic.com/faq/ Cheers Ken -Original Message- From: Troy Meyer [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 7:15 AM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues It's the other way around. Kerberos will query for SPNs and then find the machine (object) based on the dns lookup of what is in that SPN. This is why good functional DNS is a HUGE part of Kerberos authentication. Of course make sure you take care of the obvious first: are both service account and machines trusted for delegation. Is all time in sync for ticket distribution/expiration, etc. A good way to test your setup for kerb auth is using the LDP tool to query by SPN and see what it returns. Remember contrary to many bloggers, you need ONLY the FQDN, and you can only have an SPN registered once per IP (NOT PORT). Hope that helps a little, its kind of like that accounting 201 class, once you understand how it all works together it seems like it all makes sense. -Troy From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:13 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues But, from what I understand, Kerberos is going to look up the object based on what I type in (SPPS), so I'm not sure how it would find that SPN record. And to Troy who suggested that I do it based on IP address, I would have the same question. I guess I'll just have to try it and see what happens. ...Tim From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:53 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Ken is the real expert on SPNs (I STILL have that thread saved), but if your theory is true, then couldn't you just add the SPN to the computer object of the Sharepoint FE server? Adsiedit, browse to the server object. Edit SerivcePrincipalName and add the cname there? Don't know what the longer-term effects might be though. For example, if you add another FE server, what works now might become a problem. -Bonnie From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:39 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV
RE: Sharepoint Explorer View Issues
You are correct, but with HTTP spns, you cant have multiple SPNs with the same IP using different ports (though it does work with SQL). This is straight from the mouth of the Microsoft PFE I was sitting with last week. (I tried and failed in our kerb implementation for MOSS, and then he came in and saved my bacons.) -troy -Original Message- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 7:32 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Huh? This doesn't make sense. SPNs can include a port number: MSSQL/yourserver:1433 is different to MSSQL/yourserver:3 for example. Kerberos works by having the client say to the DC I wish to connect to this service: http/yourserver and the KDC hosted by AD looks in the AD database and finds the computer or user account that http/yourserver is registered under: How Kerberos works http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx How SPNs work and how to add them http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx Simple authentication scenario http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx And there's another 5 most posts in my FAQ: http://www.adopenstatic.com/faq/ Cheers Ken -Original Message- From: Troy Meyer [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 7:15 AM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues It's the other way around. Kerberos will query for SPNs and then find the machine (object) based on the dns lookup of what is in that SPN. This is why good functional DNS is a HUGE part of Kerberos authentication. Of course make sure you take care of the obvious first: are both service account and machines trusted for delegation. Is all time in sync for ticket distribution/expiration, etc. A good way to test your setup for kerb auth is using the LDP tool to query by SPN and see what it returns. Remember contrary to many bloggers, you need ONLY the FQDN, and you can only have an SPN registered once per IP (NOT PORT). Hope that helps a little, its kind of like that accounting 201 class, once you understand how it all works together it seems like it all makes sense. -Troy From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:13 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues But, from what I understand, Kerberos is going to look up the object based on what I type in (SPPS), so I'm not sure how it would find that SPN record. And to Troy who suggested that I do it based on IP address, I would have the same question. I guess I'll just have to try it and see what happens. ...Tim From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:53 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Ken is the real expert on SPNs (I STILL have that thread saved), but if your theory is true, then couldn't you just add the SPN to the computer object of the Sharepoint FE server? Adsiedit, browse to the server object. Edit SerivcePrincipalName and add the cname there? Don't know what the longer-term effects might be though. For example, if you add another FE server, what works now might become a problem. -Bonnie From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:39 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work
RE: Sharepoint Explorer View Issues
-Original Message- From: Troy Meyer [mailto:[EMAIL PROTECTED] Sent: Sunday, 27 July 2008 6:45 AM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues You are correct, but with HTTP spns, you cant have multiple SPNs with the same IP using different ports (though it does work with SQL). In any case, the SPN is based on the service's servername (http/servername or http/servername.domain.local), so as long as each web application is based at its own FQDN, then there is no need for separate IP addresses. Just register: http/moss and http/spps even if both websites are running on the same server, at the same IP address, on port 80. Or, you can even use different ports at the same IP address. This is straight from the mouth of the Microsoft PFE I was sitting with last week. (I tried and failed in our kerb implementation for MOSS, and then he came in and saved my bacons.) I think the PFE might have been saying something slightly different to what you think he might have been saying (or maybe he wasn't explaining it very well, or something similar, but I don't to jump the gun and say what I think he might have been saying...). Can you put me in touch with him so we can clarify the situation? Cheers Ken -Original Message- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 7:32 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Huh? This doesn't make sense. SPNs can include a port number: MSSQL/yourserver:1433 is different to MSSQL/yourserver:3 for example. Kerberos works by having the client say to the DC I wish to connect to this service: http/yourserver and the KDC hosted by AD looks in the AD database and finds the computer or user account that http/yourserver is registered under: How Kerberos works http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx How SPNs work and how to add them http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx Simple authentication scenario http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx And there's another 5 most posts in my FAQ: http://www.adopenstatic.com/faq/ Cheers Ken -Original Message- From: Troy Meyer [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 7:15 AM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues It's the other way around. Kerberos will query for SPNs and then find the machine (object) based on the dns lookup of what is in that SPN. This is why good functional DNS is a HUGE part of Kerberos authentication. Of course make sure you take care of the obvious first: are both service account and machines trusted for delegation. Is all time in sync for ticket distribution/expiration, etc. A good way to test your setup for kerb auth is using the LDP tool to query by SPN and see what it returns. Remember contrary to many bloggers, you need ONLY the FQDN, and you can only have an SPN registered once per IP (NOT PORT). Hope that helps a little, its kind of like that accounting 201 class, once you understand how it all works together it seems like it all makes sense. -Troy From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:13 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues But, from what I understand, Kerberos is going to look up the object based on what I type in (SPPS), so I'm not sure how it would find that SPN record. And to Troy who suggested that I do it based on IP address, I would have the same question. I guess I'll just have to try it and see what happens. ...Tim From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:53 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Ken is the real expert on SPNs (I STILL have that thread saved), but if your theory is true, then couldn't you just add the SPN to the computer object of the Sharepoint FE server? Adsiedit, browse to the server object. Edit SerivcePrincipalName and add the cname there? Don't know what the longer-term effects might be though. For example, if you add another FE server, what works now might become a problem. -Bonnie From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:39 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN
RE: Sharepoint Explorer View Issues
Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view. They cannot authenticate with the pop up, no matter what credentials are used. If they cancel the popup, they get in, but have reduced functionality (can't drag drop, copy, etc). The users affected by it appear to be completely random some with IE6, some with IE7, nothing in common that I can see (all are XPSP2 or 3). Googling for help on this yields a bunch of blog entries that all point to a 2006 MS White paper titled Understanding and Troubleshooting the Sharepoint Explorer View. From reading this white paper, it sounds like we are getting FPRPC instead of WebDAV. Following the troubleshooting steps, we have confirmed that the Web Client Service is running, the content unencrypted over port 80. Manually adding the site to the local intranet zone makes no difference (it shows unknown zone/mixed by default). So, does anyone know how to force IE to use WebDAV on a Sharepoint site? ...Tim ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Sharepoint Explorer View Issues
Ken is the real expert on SPNs (I STILL have that thread saved), but if your theory is true, then couldn't you just add the SPN to the computer object of the Sharepoint FE server? Adsiedit, browse to the server object. Edit SerivcePrincipalName and add the cname there? Don't know what the longer-term effects might be though. For example, if you add another FE server, what works now might become a problem. -Bonnie From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:39 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view. They cannot authenticate with the pop up, no matter what credentials are used. If they cancel the popup, they get in, but have reduced functionality (can't drag drop, copy, etc). The users affected by it appear to be completely random some with IE6, some with IE7, nothing in common that I can see (all are XPSP2 or 3). Googling for help on this yields a bunch of blog entries that all point to a 2006 MS White paper titled Understanding and Troubleshooting the Sharepoint Explorer View. From reading this white paper, it sounds like we are getting FPRPC instead of WebDAV. Following the troubleshooting steps, we have confirmed that the Web Client Service is running, the content unencrypted over port 80. Manually adding the site to the local intranet zone makes no difference (it shows unknown zone/mixed by default). So, does anyone know how to force IE to use WebDAV on a Sharepoint site? ...Tim ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Sharepoint Explorer View Issues
The secret here is multiple IP addresses. Instead of a CNAME for SPPS, create a new A record and give that new IP to the sharepoint server. Then create your HTTP SPN using the new IP. Kerberos for MOSS/WSS is a bit complicated, but figure any web app with a separate name will need its own IP. Our MOSS install includes a separate SPN/IP/Hostname for the actual site, the ssp, and the mysites site. Good Luck Troy From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:39 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view. They cannot authenticate with the pop up, no matter what credentials are used. If they cancel the popup, they get in, but have reduced functionality (can't drag drop, copy, etc). The users affected by it appear to be completely random some with IE6, some with IE7, nothing in common that I can see (all are XPSP2 or 3). Googling for help on this yields a bunch of blog entries that all point to a 2006 MS White paper titled Understanding and Troubleshooting the Sharepoint Explorer View. From reading this white paper, it sounds like we are getting FPRPC instead of WebDAV. Following the troubleshooting steps, we have confirmed that the Web Client Service is running, the content unencrypted over port 80. Manually adding the site to the local intranet zone makes no difference (it shows unknown zone/mixed by default). So, does anyone know how to force IE to use WebDAV on a Sharepoint site? ...Tim ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Sharepoint Explorer View Issues
But, from what I understand, Kerberos is going to look up the object based on what I type in (SPPS), so I'm not sure how it would find that SPN record. And to Troy who suggested that I do it based on IP address, I would have the same question. I guess I'll just have to try it and see what happens. ...Tim From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:53 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Ken is the real expert on SPNs (I STILL have that thread saved), but if your theory is true, then couldn't you just add the SPN to the computer object of the Sharepoint FE server? Adsiedit, browse to the server object. Edit SerivcePrincipalName and add the cname there? Don't know what the longer-term effects might be though. For example, if you add another FE server, what works now might become a problem. -Bonnie From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:39 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view. They cannot authenticate with the pop up, no matter what credentials are used. If they cancel the popup, they get in, but have reduced functionality (can't drag drop, copy, etc). The users affected by it appear to be completely random some with IE6, some with IE7, nothing in common that I can see (all are XPSP2 or 3). Googling for help on this yields a bunch of blog entries that all point to a 2006 MS White paper titled Understanding and Troubleshooting the Sharepoint Explorer View. From reading this white paper, it sounds like we are getting FPRPC instead of WebDAV. Following the troubleshooting steps, we have confirmed that the Web Client Service is running, the content unencrypted over port 80. Manually adding the site to the local intranet zone makes no difference (it shows unknown zone/mixed by default). So, does anyone know how to force IE to use WebDAV on a Sharepoint site? ...Tim ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Sharepoint Explorer View Issues
It's the other way around. Kerberos will query for SPNs and then find the machine (object) based on the dns lookup of what is in that SPN. This is why good functional DNS is a HUGE part of Kerberos authentication. Of course make sure you take care of the obvious first: are both service account and machines trusted for delegation. Is all time in sync for ticket distribution/expiration, etc. A good way to test your setup for kerb auth is using the LDP tool to query by SPN and see what it returns. Remember contrary to many bloggers, you need ONLY the FQDN, and you can only have an SPN registered once per IP (NOT PORT). Hope that helps a little, its kind of like that accounting 201 class, once you understand how it all works together it seems like it all makes sense. -Troy From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:13 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues But, from what I understand, Kerberos is going to look up the object based on what I type in (SPPS), so I'm not sure how it would find that SPN record. And to Troy who suggested that I do it based on IP address, I would have the same question. I guess I'll just have to try it and see what happens. ...Tim From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:53 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Ken is the real expert on SPNs (I STILL have that thread saved), but if your theory is true, then couldn't you just add the SPN to the computer object of the Sharepoint FE server? Adsiedit, browse to the server object. Edit SerivcePrincipalName and add the cname there? Don't know what the longer-term effects might be though. For example, if you add another FE server, what works now might become a problem. -Bonnie From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:39 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view. They cannot authenticate with the pop up, no matter what credentials are used. If they cancel the popup, they get in, but have reduced functionality (can't drag drop, copy, etc). The users affected by it appear to be completely random some with IE6, some with IE7, nothing in common that I can see (all are XPSP2 or 3). Googling for help on this yields a bunch of blog entries that all point to a 2006 MS White paper titled Understanding and Troubleshooting the Sharepoint Explorer View. From reading this white paper, it sounds like we are getting FPRPC instead of WebDAV. Following the troubleshooting steps, we have confirmed that the Web Client Service is running, the content unencrypted over port 80. Manually adding the site to the local intranet zone makes no difference (it shows unknown zone/mixed by default). So, does anyone know how to force IE to use WebDAV on a Sharepoint site? ...Tim ~ Upgrade to Next
RE: Sharepoint Explorer View Issues
OK, that's starting to make some sense. I went back and checked what we did to set the SPN previously, and we set the SPN for HTTP/MOSS on the service account. Would I set the IP SPN on the service account object or the computer object? I also checked the other items: The neither the computer account or the service account was trusted for delegation. So, I enabled the both the service account and the computer account for delegation on HTTP/MOSS. Would I need to add delegation for SPPS or the IP address here too? Time sync is good. ...Tim -Original Message- From: Troy Meyer [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 2:15 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues It's the other way around. Kerberos will query for SPNs and then find the machine (object) based on the dns lookup of what is in that SPN. This is why good functional DNS is a HUGE part of Kerberos authentication. Of course make sure you take care of the obvious first: are both service account and machines trusted for delegation. Is all time in sync for ticket distribution/expiration, etc. A good way to test your setup for kerb auth is using the LDP tool to query by SPN and see what it returns. Remember contrary to many bloggers, you need ONLY the FQDN, and you can only have an SPN registered once per IP (NOT PORT). Hope that helps a little, its kind of like that accounting 201 class, once you understand how it all works together it seems like it all makes sense. -Troy From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:13 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues But, from what I understand, Kerberos is going to look up the object based on what I type in (SPPS), so I'm not sure how it would find that SPN record. And to Troy who suggested that I do it based on IP address, I would have the same question. I guess I'll just have to try it and see what happens. ...Tim From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:53 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Ken is the real expert on SPNs (I STILL have that thread saved), but if your theory is true, then couldn't you just add the SPN to the computer object of the Sharepoint FE server? Adsiedit, browse to the server object. Edit SerivcePrincipalName and add the cname there? Don't know what the longer-term effects might be though. For example, if you add another FE server, what works now might become a problem. -Bonnie From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:39 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view. They cannot authenticate with the pop up, no matter what credentials are used. If they cancel the popup, they get in, but have reduced
RE: Sharepoint Explorer View Issues
What account is your Sharepoint application running under? That is the account (whether it be computer or user) that you'd register the http/spps and http/spps.yourdomain.whatever SPNs under (unless you are using IIS 7) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 5:39 AM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view. They cannot authenticate with the pop up, no matter what credentials are used. If they cancel the popup, they get in, but have reduced functionality (can't drag drop, copy, etc). The users affected by it appear to be completely random some with IE6, some with IE7, nothing in common that I can see (all are XPSP2 or 3). Googling for help on this yields a bunch of blog entries that all point to a 2006 MS White paper titled Understanding and Troubleshooting the Sharepoint Explorer View. From reading this white paper, it sounds like we are getting FPRPC instead of WebDAV. Following the troubleshooting steps, we have confirmed that the Web Client Service is running, the content unencrypted over port 80. Manually adding the site to the local intranet zone makes no difference (it shows unknown zone/mixed by default). So, does anyone know how to force IE to use WebDAV on a Sharepoint site? ...Tim ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Sharepoint Explorer View Issues
Huh? This doesn't make sense. SPNs can include a port number: MSSQL/yourserver:1433 is different to MSSQL/yourserver:3 for example. Kerberos works by having the client say to the DC I wish to connect to this service: http/yourserver and the KDC hosted by AD looks in the AD database and finds the computer or user account that http/yourserver is registered under: How Kerberos works http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx How SPNs work and how to add them http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx Simple authentication scenario http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx And there's another 5 most posts in my FAQ: http://www.adopenstatic.com/faq/ Cheers Ken -Original Message- From: Troy Meyer [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 7:15 AM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues It's the other way around. Kerberos will query for SPNs and then find the machine (object) based on the dns lookup of what is in that SPN. This is why good functional DNS is a HUGE part of Kerberos authentication. Of course make sure you take care of the obvious first: are both service account and machines trusted for delegation. Is all time in sync for ticket distribution/expiration, etc. A good way to test your setup for kerb auth is using the LDP tool to query by SPN and see what it returns. Remember contrary to many bloggers, you need ONLY the FQDN, and you can only have an SPN registered once per IP (NOT PORT). Hope that helps a little, its kind of like that accounting 201 class, once you understand how it all works together it seems like it all makes sense. -Troy From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:13 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues But, from what I understand, Kerberos is going to look up the object based on what I type in (SPPS), so I'm not sure how it would find that SPN record. And to Troy who suggested that I do it based on IP address, I would have the same question. I guess I'll just have to try it and see what happens. ...Tim From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:53 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Ken is the real expert on SPNs (I STILL have that thread saved), but if your theory is true, then couldn't you just add the SPN to the computer object of the Sharepoint FE server? Adsiedit, browse to the server object. Edit SerivcePrincipalName and add the cname there? Don't know what the longer-term effects might be though. For example, if you add another FE server, what works now might become a problem. -Bonnie From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:39 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access it with the name SPPS (set up as a CNAME in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the sharepoint service account on MOSS. My theory is that Kerberos is trying to look up a SPN for SPPS instead, which doesn't exist, and I can't add one because it isn't an object in AD. Any thoughts? ...Tim From: Tim Evans Sent: Wednesday, May 21, 2008 6:04 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view
RE: Sharepoint Explorer View Issues
Here are all the parts (for reference) to date (I am hoping to add cross-Forest UPN suffix routing this weekend): IIS (Internet Information Services) and Kerberos FAQ * IIS and Kerberos Part 1 - What is Kerberos and how does it work?http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx * IIS and Kerberos Part 2 - Service Principal Names (SPNs)http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx * IIS and Kerberos Part 3 - A simple scenariohttp://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx * IIS and Kerberos Part 4 - A simple delegation scenariohttp://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/28/1282.aspx * IIS and Kerberos Part 5 - Protocol Transition, Constrained Delegation, S4U2S and S4U2Phttp://www.adopenstatic.com/cs/blogs/ken/archive/2007/07/19/8460.aspx * IIS and Kerberos Part 6 - What's new in IIS 7http://www.adopenstatic.com/cs/blogs/ken/archive/2008/02/21/16275.aspx * IIS and Kerberos Part 7 - A simple cross Forest scenariohttp://www.adopenstatic.com/cs/blogs/ken/archive/2008/05/12/17533.aspx * IIS and Kerberos Part 8 - A simple cross Forest/Domain scenario delegation scenariohttp://www.adopenstatic.com/cs/blogs/ken/archive/2008/06/28/17805.aspx Cheers Ken -Original Message- From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 12:32 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Huh? This doesn't make sense. SPNs can include a port number: MSSQL/yourserver:1433 is different to MSSQL/yourserver:3 for example. Kerberos works by having the client say to the DC I wish to connect to this service: http/yourserver and the KDC hosted by AD looks in the AD database and finds the computer or user account that http/yourserver is registered under: How Kerberos works http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx How SPNs work and how to add them http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx Simple authentication scenario http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx And there's another 5 most posts in my FAQ: http://www.adopenstatic.com/faq/ Cheers Ken -Original Message- From: Troy Meyer [mailto:[EMAIL PROTECTED] Sent: Saturday, 26 July 2008 7:15 AM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues It's the other way around. Kerberos will query for SPNs and then find the machine (object) based on the dns lookup of what is in that SPN. This is why good functional DNS is a HUGE part of Kerberos authentication. Of course make sure you take care of the obvious first: are both service account and machines trusted for delegation. Is all time in sync for ticket distribution/expiration, etc. A good way to test your setup for kerb auth is using the LDP tool to query by SPN and see what it returns. Remember contrary to many bloggers, you need ONLY the FQDN, and you can only have an SPN registered once per IP (NOT PORT). Hope that helps a little, its kind of like that accounting 201 class, once you understand how it all works together it seems like it all makes sense. -Troy From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 1:13 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues But, from what I understand, Kerberos is going to look up the object based on what I type in (SPPS), so I'm not sure how it would find that SPN record. And to Troy who suggested that I do it based on IP address, I would have the same question. I guess I'll just have to try it and see what happens. ...Tim From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:53 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Ken is the real expert on SPNs (I STILL have that thread saved), but if your theory is true, then couldn't you just add the SPN to the computer object of the Sharepoint FE server? Adsiedit, browse to the server object. Edit SerivcePrincipalName and add the cname there? Don't know what the longer-term effects might be though. For example, if you add another FE server, what works now might become a problem. -Bonnie From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Friday, July 25, 2008 12:39 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues Maybe I'm beating a dead horse here, but I've got to try :-) We've discovered that by disabling Kerberos authentication on the site everything works perfectly. So, implied to me that there is a problem with Kerberos authentication on that sharepoint site, which led me to a very nice series about Kerberos on your blog. After reading thru them, I think I understand the problem, I just don't know how to fix it. Hopefully you or someone else here can advise. The server's name is MOSS, but we access
RE: Sharepoint Explorer View Issues
I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view. They cannot authenticate with the pop up, no matter what credentials are used. If they cancel the popup, they get in, but have reduced functionality (can't drag drop, copy, etc). The users affected by it appear to be completely random some with IE6, some with IE7, nothing in common that I can see (all are XPSP2 or 3). Googling for help on this yields a bunch of blog entries that all point to a 2006 MS White paper titled Understanding and Troubleshooting the Sharepoint Explorer View. From reading this white paper, it sounds like we are getting FPRPC instead of WebDAV. Following the troubleshooting steps, we have confirmed that the Web Client Service is running, the content unencrypted over port 80. Manually adding the site to the local intranet zone makes no difference (it shows unknown zone/mixed by default). So, does anyone know how to force IE to use WebDAV on a Sharepoint site? ...Tim ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: Sharepoint Explorer View Issues
Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're working on the Vista upgrade, but we're not quite ready to take the plunge yet. Thanks anyway. ...Tim From: Ken Schaefer [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 21, 2008 5:44 PM To: NT System Admin Issues Subject: RE: Sharepoint Explorer View Issues I've been in a similar situation (trying to work out how to get WebDAV rather than FP view working). Been through that paper, looking at network packet captures, and all sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista and works now :-) Cheers Ken From: Tim Evans [mailto:[EMAIL PROTECTED] Sent: Thursday, 22 May 2008 8:02 AM To: NT System Admin Issues Subject: Sharepoint Explorer View Issues We're having some problems with some users ability to use Explorer View in shared documents folders on our MOSS server. The symptom is that the get an authentication popup when they change from the All Documents view to Explorer view. They cannot authenticate with the pop up, no matter what credentials are used. If they cancel the popup, they get in, but have reduced functionality (can't drag drop, copy, etc). The users affected by it appear to be completely random some with IE6, some with IE7, nothing in common that I can see (all are XPSP2 or 3). Googling for help on this yields a bunch of blog entries that all point to a 2006 MS White paper titled Understanding and Troubleshooting the Sharepoint Explorer View. From reading this white paper, it sounds like we are getting FPRPC instead of WebDAV. Following the troubleshooting steps, we have confirmed that the Web Client Service is running, the content unencrypted over port 80. Manually adding the site to the local intranet zone makes no difference (it shows unknown zone/mixed by default). So, does anyone know how to force IE to use WebDAV on a Sharepoint site? ...Tim ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
