We came across an issue recently where we are using Microsoft Dynamics AX 2009, and we have the Enterprise Portal Server (EP), Reporting Server and Analysis server had been configured to use Kerberos Authentication as per the whitepaper "Configuring Kerberos Authentication with Role Centers", dated February 2009. If we browse the Role Center pages from the EP server, we get NO errors in the KPI and Reporting web parts. However If we try an browse from a different server/desktop machine then we receive following error messages in the webparts:
Reporting Services Webpart:
We also found the following errors logged in the event viewer of the EP Server:
A Kerberos Error Message was received: on logon session Client Time: Server Time: 11:37:19.0000 11/23/2009 Z Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error: 0xc0000035 KLIN(0) Client Realm: Client Name: Server Realm: CONTOSO.COM Server Name: MSOLAPSvc.3/SQL-SRV-01 Target Name: MSOLAPSvc.3/SQL-SRV-01@CONTOSO.COM Error Text: File: 9 Line: e2d Error Data is in record data.
We have commonly seen that these types error generally manifest when you have duplicate SPNs configure by mistake. We found two HTTP and MSOLAPSvc service principle names (SPN) setup for the same web server and analysis server hostnames. We resolved the issue by using the SETSPN.EXE command line application to detect the duplicate SPN (by running SETSPN.EXE -X), and then deleting the duplicates which were not required using the same utility (Run SETSPN.EXE -? for help). Note: If you are running Windows Server 2003 R2, then download the latest SETSPN.EXE utility from http://support.microsoft.com/default.aspx?scid=kb;EN-US;970536