Kerberos Authentication Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0)
We came across an issue recently where we are using Microsoft Dynamics AX 2009, and we have the Enterprise Portal Server (EP), Reporting Server and Analysis server had been configured to use Kerberos Authentication as per the whitepaper “Configuring Kerberos Authentication with Role Centers”, dated February 2009. If we browse the Role Center pages from the EP server, we get NO errors in the KPI and Reporting web parts. However If we try an browse from a different server/desktop machine then we receive following error messages in the webparts:
KPI-webparts:
Reporting Services Webpart:
We also found the following errors logged in the event viewer of the EP Server:
on logon session
Client Time:
Server Time: 11:37:58.0000 11/23/2009 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error: 0xc0000035 KLIN(0)
Client Realm:
Client Name:
Server Realm: CONTOSO.COM
Server Name: HTTP/ax-srv-01.contoso.com
Target Name: HTTP/ax-srv-01.contoso.com@contoso.com
Error Text:
File: 9
Line: e2d
Error Data is in record data.
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 11:37:19.0000 11/23/2009 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error: 0xc0000035 KLIN(0)
Client Realm:
Client Name:
Server Realm: CONTOSO.COM
Server Name: MSOLAPSvc.3/SQL-SRV-01
Target Name: MSOLAPSvc.3/SQL-SRV-01@CONTOSO.COM
Error Text:
File: 9
Line: e2d
Error Data is in record data.
We have commonly seen that these types error generally manifest when you have duplicate SPNs configure by mistake. We found two HTTP and MSOLAPSvc service principle names (SPN) setup for the same web server and analysis server hostnames. We resolved the issue by using the SETSPN.EXE command line application to detect the duplicate SPN (by running SETSPN.EXE -X), and then deleting the duplicates which were not required using the same utility (Run SETSPN.EXE -? for help). Note: If you are running Windows Server 2003 R2, then download the latest SETSPN.EXE utility from http://support.microsoft.com/default.aspx?scid=kb;EN-US;970536
FURTHER INFORMATION:
- See the sections titled Concepts and Additional considerations in the Knowledge Base Article How to use SPNs when you configure Web applications that are hosted on Internet Information Services
- For more up to date information on configuring Kerberos Authentication with Role Ceneters, please consult the new updated whitepaper dated February 2010 (or later).
–author: | Anup Shah |
–editor: | Anup Shah |
–date: | 29/Oct/2010 |
We're always looking for feedback and would like to hear from you. Please head to the Dynamics 365 Community to start a discussion, ask questions, and tell us what you think!