1. SPN for SQL
Install ADSIEdit on DC from W2003 Support Tools.
Change SPN of SQL Service Account to:
MSSQLSvc/sql1.litware.com:1433
MSDN also says add not just FQDN but NetBIOS name also:
MSSQLSvc/sql1:1433
Don't understand why this is necessary.
If the SQL is on the same machine as MOSS Kerberos will not be used. Ditto named pipes are used. See blog.
You can also check your work by using the SetSPN -L SQLService
From the the W2003 Resource kit you can use Klist and Kerbtray
To list or purge the Tickets use Klist tickets or Klist purge.
2. SPN for Central Admin
Add SPNs to Central Admin App Pool Identity.
HTTP/moss01:12345
HTTP/moss01.litware:12345
Change Central Admin to negotiate
Use this link to get to stsadm
stsadm -o authentication -url http://moss01:12345 -type windows -usewindowsintegrated
Browse to site.
If you get following error
Logon Failure:
Reason: Unknown user name or bad password
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Caller User Name: -
Caller Domain: -
This is because the browser does not send the port number with the spn.
For 32 bit I used the following registry change to ie6. Details are here, but the hotfix dlls were an older version than my dlls. Still needed the registry change.
If you need to check if the iis virtual directory has kerberos enabled you can say
adsutil.vbs get w3svc/1998432558/root/NTAuthenticationProviders or set it with
adsutil.vbs set w3svc/1998432558/root/NTAuthenticationProviders "Negotiate,NTLM"
(get Vir Dir Id from log file directory name)
3. SPN for main sharepoint site
Add SPNs to App Pool Identity.
HTTP/moss01
HTTP/moss01.litware.com
Change SharePoint app to negotiate
Use this link to get to stsadm
stsadm -o authentication -url http://moss01 -type windows -usewindowsintegrated
Browse to site.
