Setting up Kerberos, with all those pesky SPNs

If you want to set up Kerberos authentication in a Microsoft BI environment (and you will want to if you’ve got multiple servers) then you need to get your SPNs in order. These register service/server/user combinations in Active Directory to allow them to delegate (i.e. pass through) credentials to back-end servers. I’ve just gone through setting this up for the following

Svr1 – SQL 2008 Database
Svr2 – SQL 2008 Reporting Services
Svr3 – MOSS 2007

All running on Windows Server 2003 (if using 2008 the set-up for IIS is a little different)

The SPN commands I used are as follows:

setspn –a MSSQLSvc/Svr1:1433 domain\sqlUser
setspn –a MSSQLSvc/Svr1.domain.net:1433 domain\sqlUser

setspn –a HTTP/Svr2 domain\serviceUser
setspn –a HTTP/Svr2.domain.net domain\serviceUser

setspn –a HTTP/Svr3 domain\serviceUser
setspn –a HTTP/Svr3.domain.net domain\serviceUser

You then need to make sure the user and machine accounts are Trusted For Delegation (in Active Directory).

You’ve also got to remember to change the rsreportserver.config file to have the following section:

<Authentication>
  <RSWindowsKerberos/>
  <RSWindowsNegotiate/>
</Authentication>

SharePoint has the same settings – but that can be set when you go through the configuration steps rather than modifying the .config files. At least, that’s what’s worked for me. Hopefully it’ll be a bit easier next time!