Hi, On one of our Dev Instances we have enabled kerberos by setting up SPN's,changing the authentication type,delegation etc. We have on java app which simple calls the reporting services by url of the report and uses a domain account to connect to reporting services. Some how after the kerberos change the java app is not able to connect and we get a 401 error. I checked the logs and it seems that the java app is not even able to make a request to the report server computer as I cant see any log of access denied. Below is the authentication tag of report server config file : <AuthenticationTypes> <RSWindowsNegotiate/> </AuthenticationTypes> and web.config : <authentication mode="Windows" /> <identity impersonate="true" /> Can someone suggest how to proceed?

Hi Vikram, 401 error means the credential is unauthorized. It is generally caused by the credential is invalid. In a Kerberos environment, it can be caused by kerberos error. To troubleshoot the issue, could you please enable the Kerberos Logging in the server that hosts the Java application? The Kerberos errors can be found from the System Logs(Event Viewer). Once we get Kerberos error, we can go to Windows Server forum to ask for a help: http://social.technet.microsoft.com/Forums/en-US/category/windowsserver Anyway, just based on my experience, please check: Can we connect to the Report Server via URL in the Internet Explorer from the Java server. All SPNs are registered correctly. There is not duplicate SPNs. The time for the client is same to the domain control. For more information, please see: How to enable Kerberos event logging: http://support.microsoft.com/kb/262177 Troubleshooting Kerberos: http://technet.microsoft.com/en-us/library/cc728430(WS.10).aspx If you have any more questions, please feel free to ask. Thanks, Jin ChenJin Chen - MSFT

Hi Jin, Just to make it clear kerberos is only enabled at the report server level and not at the Java server level. In the dev environment as of now the developer has the tomcat server hosted on his local machine. Both Java and Report Server are on different machines. By opening IE on his local machine he is able to run the reports but issue occurs only when connecting from Java app. Kerberos is working fine on the report server level as I have tried to connect to a sharepoint list report and it is able to pass my credentials also I have run a report which connects to a remote sql db which has all its SPN configured correctly. I had looked at this post : http://social.msdn.microsoft.com/forums/en-US/sqlreportingservices/thread/1cad12af-9d94-4c15-9e93-4ef9be4c14a2/ and I am not sure about this : "Another option is to make all request to RS as a specific user, impersonate this user before you make any call to RS" within the post. Would you know what impersonation here means as I think we might be missing that bit? Time is the same for client and domain control. Regards, Vikram

Hi Vikram, Sorry for the later. I just back from a vacation. I am not familiar with Java. However, based on your description "we can open the report server from the Java server", it seems the issue is caused by the Java application cannot deligate the user to the Report Server. In other words, Kerberos is not supported in Java. "Another option is to make all request to RS as a specific user, impersonate this user before you make any call to RS". In ASP.NET, we can impersonate a user to run the application. After that, all calls from the application will use the impersonated user's credential. For impersonate in ASP.NET, please see: http://support.microsoft.com/kb/306158 For Java, I would suggest you having a look at: http://www.bing.com/search?q=Java+impersonation&form=QBRE&filt=all Thanks, Jin ChenJin Chen - MSFT