Configuring Kerberos Authentication for SharePoint Integrated Reporing
After successfully implemented SCOM Reporting Server (with some help of course!) I get my hands dirty with SharePoint Reporting Server. I was trying to setup a Reporting Server in SharePoint Integrated Mode in our testing SharePoint Environment. In our testing environment, I already have a SharePoint Server(hosting the Central Administration Site), a FrontEnd and a SQL DB server setup.
SETSPN part has already been done to ready our SharePoint environment for Kerberos authentication.
In order to do this SETSPN.EXE needs to be installed on a server and run by an Active Directory Administrator for all App Pool accounts and SSP sites using those App Pools. SETSPN.EXE is available in the Windows Server 2003 Support Tools that are included on the Windows Server 2003 CD. To install the tools, double-click the Suptools.msi file in the Support/Tools folder.
You will need domain admin right to do this: The sites need to have two Server Principal Names associated, one using the FQDN (collaboration.contoso.com) of the server name one using just the server’s netbios name (the FQDN without the .contoso.com e.g. collaboration).
Here is some good reading regarding this topic Configuring Kerberos for SharePoint 2007
But that is not my focus here. After I followed Microsoft SQL Server Reporting Services - Installation and Configuration Guide for SharePoint Integration Mode The reporting server is almost up except that every time I go to the “Set Server Defaults” page through SharePoint Central Administration, I got the below error:
“An unexpected error occurred while connecting to the report server. Verify that the report server is available and configured for SharePoint integrated mode. --> Server was unable to process request. ---> The request failed with HTTP status 401: Unauthorized. “
I know the report server is available and configured for SharePoint integrated mode. I know this has something to do with the Kerberos/NTLM authentication. I even remembered to do SETSPN for this new reporting server and the related SharePoint account but still NO LUCK!
It turns out that I did the SETSPN part wrong:
SETSPN.exe -a http/%SharePointReportServerFQDN&Port% Domain\%AssociatedAccount%
SETSPN.exe -a http/%SharePointReportServer&Port% Domain\%AssociatedAccount%
Since I set up the Reporting Server to use port 8081 so it was very “logical” to me to only registered for port 8081 which turns out not correct. What we need to do here is to just register the reporting servers’ FQDN name and netbios name with relevant accounts. and we don’t need to put port number there!!!
SETSPN.exe -a http/%SharePointReportServerFQDN% Domain\%AssociatedAccount%
SETSPN.exe -a http/%SharePointReportServer% Domain\%AssociatedAccount%