Kerberos Issues With Reporting Services and SharePoint in a Distributed Environment
Friday, 20. February 2009, 10:28:02
This seems to cause huge headaches when integrating Reporting Services and SharePoint. After installing the addin correctly and successfully on all your servers, you are unable to complete the setup in Sentral Administration when using Windows Authentication. In "Manage Integration Settings", you are constantly plagued by the error
This is caused by incorrectly configured Kerberos somewhere in the system. Kerberos is an authetication mechanism used to pass credentials from one service to another across computers. It's the mechanism which allows SharePoint to authenticate to Reporting Services on a separate server, and which allows a user's credentials to be passed from their browser to SharePoint to Reporting Services to a data source.
The problem with Kerberos is that you don't just click a setting to enable it. It doesn't need to be enabled - it needs to be configured, and there are lots of places the configuration can go wrong. Depending on how your environment was set up, you may find problems in several different places. Here is my list of steps to sort everything out and get it working.
Hopefully this checklist will help, integrating SharePoint and Reporting Services can be a frustrating task!
Server was unable to process request. ---> The request failed with HTTP status 401: UnauthorizedYou most likely get this message only when your various services are running under domain accounts rather than the built in accounts like Network Service.
This is caused by incorrectly configured Kerberos somewhere in the system. Kerberos is an authetication mechanism used to pass credentials from one service to another across computers. It's the mechanism which allows SharePoint to authenticate to Reporting Services on a separate server, and which allows a user's credentials to be passed from their browser to SharePoint to Reporting Services to a data source.
The problem with Kerberos is that you don't just click a setting to enable it. It doesn't need to be enabled - it needs to be configured, and there are lots of places the configuration can go wrong. Depending on how your environment was set up, you may find problems in several different places. Here is my list of steps to sort everything out and get it working.
- If you have any IIS websites on your Reporting Services machine, and they have an SPN already set, you will have to run Reporting Services web service under the same account as the app pools your other sites are using. This is because the http service can only have one SPN assigned to it (see below). In practical terms this is most likely to be a problem if your RS server also has a SharePoint front end web site which you want to keep active for some reason. In this case you would have to run RS using the same account as you run SharePoint's web app.
- Setting SPNs
Kerberos requires that a Service Principal Name is registered in the domain's Active Directory for the http service. This is explained at this Knowledge Base article. Essentially you need to runsetspn -a http/<ReportingServer> <domain>\<user>
setspn -a http/<ReportingServer>.domain <domain>\<user>
You need domain admin rights to do this.
- Remove duplicate SPNs
If there is already an SPN for the http service on the Reporting Services box, it must be removed - or you will have to run RS under that account (as above). You can't have one SPN registered twice to separate accounts - even though the setspn tool will quite happily allow you to do it without any kind of warning. Finding duplicate SPNs is tricky, information is available from Microsoft.
- Setting Trusts in Active Directory
With the SPNs set, you now need to set up trusts. A trust is an indication that a particular account is allowed to delegate credentials on another account's behalf (still with me?). Again you need domain admin rights to do this. In Active Directory Users and Computers, open the properties for the account which RS is running under. Open the Delegation tab and enable 'Trust this user/computer for delegation to any service (Kerberos)'. Then repeat this for the Reporting Services computer.
- Setting Authentication Providers in SharePoint
SharePoint needs to be told to use Kerberos. In Central Administration, go to Application Management -> Authentication Providers. Change the web application to the Central Administration app (this is important!) then select the default authentication link. Set to "Integrated Windows Authentication" and "Negotiate (Kerberos)". Save everything and then run IISRESET on the SharePoint web front end host server (not the Reporting Services server). If you have other authentication provider schemes, you will probably need to perform the same steps for them.
- Setting IIS to use Kerberos Authentication
Another trip to the command line on the Reporting Services server. Navigate to c:\Inetpub\AdminScripts and run the following command:cscript adsutil.vbs get w3svc\NTAuthenticationProviders
If this returns "NTLM" or is not set, execute the following command:cscript adsutil.vbs set w3svc\NTAuthenticationProviders "Negotiate"
Then run IISRESET.
- Setting Reporting Services to Use Kerberos
Finally, make sure Reporting Services itself is configured to allow Kerberos. Open the rsreportserver.config file and serach for the AuthernticationTypes node. It should have an entry of<RSWindowsNegotiate/ >
or<RSWindowsKerberos/ >
Save the file and run IISRESET.
Hopefully this checklist will help, integrating SharePoint and Reporting Services can be a frustrating task!
WIDGETIZE