Hi all,since two days I am struggling setting up a Sharepoint Farm with Kerberos.I did follow exactly the instructions Martin Kearnhas posted in his bloghttp://blogs.msdn.com/martinkearn/archive/2007/04/23/configuring-kerberos-for-sharepoint-2007-part-1-base-configuration-for-sharepoint.aspxAnd the instructions did work for me in my test environment.The environment:Domain-Controller: Windows Server 2003Sharepoint Server (running all neccessary services for a SP farm): Windows Server 2008 Enterprise with MOSS2k7 Enterprise incl. UpdatesSQL Server: Windows Server 2008 Datacenter with SQL Server 2k5 SP2The excactproblem is that I receive in the Security Log on the MOSS-Server an Audit Failure and the Windows authentication dialog always is coming up (3 times tillHTTP Error 401) The security log entry is:An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: Account Domain: Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: - Source Network Address: 10.10.0.117 Source Port: 59867 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.The curiosity is that the kerberos authentication to the Central Administration is working and the user name or password is resolved right.All the SPNs for my application pools are set and the trust for delegation option also.When I want to log to my web apllication I see the with Kerbtray (Microsofts Kerberos Ticket Tool) the kerb ticket e.g. HTTP/sspadmin.mydomain.net.The authentication to the database is using kerberos.Does anyone have a clue what the problem could be?Searching the internet for the audit failure is still uncessfull.I appreciate any help!RegardsRalf

All my web applications use host headers.So normally I also set the DNS entries for a Host (A).Is a Reverse-Lookup entry also needed?regardsRalf

Hello Ralf,Do you have duplicate entries in your forward AND reverse lookup-zone? Kerberos use these lookups to check the ticket you provide, so it is needed (remember to do a AD replication and IPCONFIG /FLUSHDNS on your servers after adding/removing DNS entries on your DNS Server) Do you see any errors on your DC (KDC) or SQL Server?(You can find a configuration-tableregarding accounts,SPNs and delegations needed onhttp://www.windowsecurity.com/articles/Kerberos-Sharepoint-Environment.html)Jesper M. Christensen - Blog: http://jespermchristensen.spaces.live.com

Hi Jesper,today I received my windows alert mail for this post...I think Microsoft wanted to keep it for one week beforenotifying me ;-)Thx for your Tips!Will get through your instructions next week and will hopefully find a solution.Let you know about the result.RegardsRalf

There is a change in the way IIS7 does authentication...i ran into this issue some time ago and this fixed it:http://www.harbar.net/archive/2008/05/18/Using-Kerberos-with-SharePoint-on-Windows-Server-2008.aspxAlso a reverse record was not needed.

Make sure the spn is set for the machine account if using kernel mode auth.

Make sure the spn is set for the machine account if using kernel mode auth. Are you sure that's required? I didn't add it, and my Kerberos works in IIS 7 with Kernel mode still active.SharePoint Architect || My Blog

i believe it can be set for either the user account, or machine account, but if user the flag in iis needs to be set for it to work. I believe the premise is that because the auth is moved to kernel mode, the machine handles the auth rather than the user mode process which improves performance. The easiest setup would be to add to machine, as no changes need to be made in iis.

That's not proper from what I've read - easiest does not mean best. The app.config should be set to useAppPoolCredentials=true, and then the SPN should be set for the app pool identity. I don't know how the machine account comes into play unless I'm misunderstanding your premise (very possible). Have you seen an article that says to do this instead of what Spence said to do in the article you linked? He is a premier MCM with a specific expertise in Kerberos as far as I've seen. Let me know if you've found something that I've missed.SharePoint Architect || My Blog

my apologies, i missed that you domain is server 2003...the info i provided only applies to member servers 2008 and above. for server 2003 domains and above you would set the spn on the user account if using a domain account and a host header other than machine name or use the native host account of the machine using a built in account.