We came across an issue recently where we are using Microsoft Dynamics AX 2009, and we have the Enterprise Portal Server (EP), Reporting Server and Analysis server had been configured to use Kerberos Authentication as per the whitepaper "Configuring Kerberos Authentication with Role Centers", dated February 2009. If we browse the Role Center pages from the EP server, we get NO errors in the KPI and Reporting web parts. However If we try an browse from a different server/desktop machine then we receive following error messages in the webparts:

KPI-webparts:

An error has occurred while establishing a connection to the analysis server

 

Reporting Services Webpart:

An error occurred while trying to display the report from the <Report Name> folder. This error was caused by the following exception: Cannot read information from SQL Server Reporting Services. Validate that the Report Manager URL is correct.

 

 We also found the following errors logged in the event viewer of the EP Server:

 

A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 11:37:58.0000 11/23/2009 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error: 0xc0000035 KLIN(0)
Client Realm:
Client Name:
Server Realm: CONTOSO.COM
Server Name: HTTP/ax-srv-01.contoso.com
Target Name: HTTP/ax-srv-01.contoso.com@contoso.com
Error Text:
File: 9
Line: e2d
Error Data is in record data.

A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 11:37:19.0000 11/23/2009 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error: 0xc0000035 KLIN(0)
Client Realm:
Client Name:
Server Realm: CONTOSO.COM
Server Name: MSOLAPSvc.3/SQL-SRV-01
Target Name: MSOLAPSvc.3/SQL-SRV-01@CONTOSO.COM
Error Text:
File: 9
Line: e2d
Error Data is in record data.

 

We have commonly seen that these types error generally manifest when you have duplicate SPNs configure by mistake. We found two HTTP and MSOLAPSvc service principle names (SPN) setup for the same web server and analysis server hostnames. We resolved the issue by using the SETSPN.EXE command line application to detect the duplicate SPN (by running SETSPN.EXE -X), and then deleting the duplicates which were not required using the same utility (Run SETSPN.EXE -? for help). Note: If you are running Windows Server 2003 R2, then download the latest SETSPN.EXE utility from http://support.microsoft.com/default.aspx?scid=kb;EN-US;970536

 

FURTHER INFORMATION:

 

--author: Anup Shah
--editor: Anup Shah
--date: 29/Oct/2010