When you access the Web client from a remote system as a Windows
domain user, the client may experience an authentication or access denied error.
An absent service principal name or an inaccurate registration of the service
principal name (SPN) in the Active Directory domain may cause the error. The
error is written to the System Event log as a Kerberos Error ID 4. The IIS generates
Service principal names are associated with the user or group in whose security
context the service executes. Service principal names support mutual
authentication between a service and a client application. A service principal
name is associated with an account. An account may have many service principal
names. The SPN is the name the client application uses to identify the service.
If the SPN is not set for a service, the client applications cannot locate the service.
Common error messages for not setting the SPN are the following:
- KDC_ERR_C_PRINCIPAL_UNKNOWN or KDC_ERR_S_PRINICIPAL_UNKNOWN
- Other errors may be caused by a missing or an incorrectly set SPN. Kerberos
authentication relies on properly set SPNs.
Create a unique SPN.
Setting an SPN requires the following information:
- SPN service class assigned to the service
- The account under which the service is running
- The host computer name to which the SPN belongs
The computer name should include all of the names by which the computer
on which the service is running can be referenced. The information includes
a NetBIOS name, a fully qualified domain name (FQDN), and any aliases
assigned to the computer. A separate SPN must be set for each name by which
the computer can be referenced.
- The port that the service is running on
Include the port information even if the information is the default part for
To set the SPN for a service, download the Microsoft Windows Server 2003 support
tools from the Microsoft download site.
To reset an SPN
1 To ensure that there are no duplicate entries in WINS and DNS for the
computer, type the following at a prompt:
2 Type the following at a prompt:
setspn -A http/<FQDN of the computer that has the Web client and
RA_webcore installed.> < The account you use for ASP. The account
must be a domain account. You cannot use a local account unless
you use domain\user.>