Kerberos Authentication Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0)

We came across an issue recently where we are using Microsoft Dynamics AX 2009, and we have the Enterprise Portal Server (EP), Reporting Server and Analysis server had been configured to use Kerberos Authentication as per the whitepaper “Configuring Kerberos Authentication with Role Centers”, dated February 2009. If we browse the Role Center pages from the EP server, we get NO errors in the KPI and Reporting web parts. However If we try an browse from a different server/desktop machine then we receive following error messages in the webparts:

KPI-webparts:

Reporting Services Webpart:

 We also found the following errors logged in the event viewer of the EP Server:

We have commonly seen that these types error generally manifest when you have duplicate SPNs configure by mistake. We found two HTTP and MSOLAPSvc service principle names (SPN) setup for the same web server and analysis server hostnames. We resolved the issue by using the SETSPN.EXE command line application to detect the duplicate SPN (by running SETSPN.EXE -X), and then deleting the duplicates which were not required using the same utility (Run SETSPN.EXE -? for help). Note: If you are running Windows Server 2003 R2, then download the latest SETSPN.EXE utility from http://support.microsoft.com/default.aspx?scid=kb;EN-US;970536

FURTHER INFORMATION:

• See the sections titled Concepts and Additional considerations in the Knowledge Base Article How to use SPNs when you configure Web applications that are hosted on Internet Information Services
  
• For more up to date information on configuring Kerberos Authentication with Role Ceneters, please consult the new updated whitepaper dated February 2010 (or later).