Hi, We have SSRS running as domain account "mydomain\ssrs_svc" and SQL2008 running as domain account "mydomain\sql_svc". SQL2008 is running as the default instance on "sqlbox" To set up SPNs for Kerberos, what should be command for the SPN for SQL2008? Is it setspn -a MSSQLSvc/sqlbox:1433 mydomain\ssrs_svc or setspn -a MSSQLSvc/sqlbox:1433 mydomain\sql_svc Te link below says that the first option above is correct. It says "it does not matter which account SQL Server is running under" http://callumhibbert.blogspot.com/2009/02/kerberos-delegation-and-sql-reporting.html On the other hand, MS documentation is sort of vague about this and implies that second option above is correct. http://download.microsoft.com/download/B/E/1/BE1AABB3-6ED8-4C3C-AF91-448AB733B1AF/SSRSKerberos.docx None of the options work for me at the moment setspn -a MSSQLSvc/sqlbox:1433 mydomain\ssrs_svc produces "The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sql_svc.....This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. " setspn -a MSSQLSvc/sqlbox:1433 mydomain\sql_svc produces "KDC_ERR_BADOPTION"

Hi James, In order to configure Kerberos authentication for SQL Server Reporting Services(SSRS), we need to register SPN for both the SQL Server Reporting Services(SSRS) and the SQL Server. We need to register the following two SPN at least in this case: setspn -a HTTP/<SSRSbox>:<port for the SSRS> mydomain\ssrs_svc setspn -a MSSQLSvc/sqlbox:1433 mydomain\sql_svc Additionally, please add the following two SPN with FQDN too: setspn -a HTTP/<SSRSbox>.<domain>.<com>:<port for the SSRS> mydomain\ssrs_svc setspn -a MSSQLSvc/sqlbox<domain>.<com>:1433 mydomain\sql_svc So, there are two steps to do: Register SPN for SSRS: http://msdn.microsoft.com/en-us/library/cc281382.aspx Register SPN for SQL Server: http://msdn.microsoft.com/en-us/library/ms191153.aspx If you have any more questions, please feel free to ask. Thanks, Jin Chen Jin Chen - MSFT

Hi James, In order to configure Kerberos authentication for SQL Server Reporting Services(SSRS), we need to register SPN for both the SQL Server Reporting Services(SSRS) and the SQL Server. We need to register the following two SPN at least in this case: setspn -a HTTP/<SSRSbox>:<port for the SSRS> mydomain\ssrs_svc setspn -a MSSQLSvc/sqlbox:1433 mydomain\sql_svc Additionally, please add the following two SPN with FQDN too: setspn -a HTTP/<SSRSbox>.<domain>.<com>:<port for the SSRS> mydomain\ssrs_svc setspn -a MSSQLSvc/sqlbox<domain>.<com>:1433 mydomain\sql_svc So, there are two steps to do: Register SPN for SSRS: http://msdn.microsoft.com/en-us/library/cc281382.aspx Register SPN for SQL Server: http://msdn.microsoft.com/en-us/library/ms191153.aspx If you have any more questions, please feel free to ask. Thanks, Jin Chen Jin Chen - MSFT

I have done as you mentioned both for SQL server service account and SSRS servies (SPN and Deligation on AD). It is kept on asking me the user name and password. I digged the Server logs KDC_ERR_PREAUTH_REQUIRED. Can you please help where all we need to look at it Anekm A Kerberos Error Message was received: on logon session Client Time: Server Time: 13:27:1.0000 5/16/2011 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: Server Name: SqlServerbox.win.org Target Name: Error Text: File: 9 Line: d86 Error Data is in record data.