Symptom: When you access the Web client from a remote system as a Windows domain user, the client may experience an authentication or access denied error. An absent service principal name or an inaccurate registration of the service principal name (SPN) in the Active Directory domain may cause the error. The error is written to the System Event log as a Kerberos Error ID 4. The IIS generates the error.
Service principal names are associated with the user or group in whose security context the service executes. Service principal names support mutual authentication between a service and a client application. A service principal name is associated with an account. An account may have many service principal names. The SPN is the name the client application uses to identify the service.
The computer name should include all of the names by which the computer where the service is running can be referenced. The information includes a NetBIOS name, a fully qualified domain name (FQDN), and any aliases assigned to the computer. A separate SPN must be set for each name by which the computer can be referenced.
To reset an SPN
setspn -A http/<FQDN of the computer that has the Web client and RAM Web Server installed.> < The account you use for ASP. The account must be a domain account domain\account. You cannot use local accounts.>