So we setup Kerberos on SharePoint using one of the many guides out there.  Everything worked great but SQL Server was returning KDC_ERR_S_PRINCIPAL_UNKOWN which is typical.  So we registered an SPN for SQL Server using "Setspn -A MSSQLSvc/sqlboxhostname:1433 domain\sqlserviceaccount" and "Setspn -A MSSQLSvc/sqlboxfqdn:1433 domain\sqlserviceaccount". 

Here's where the fun starts.  We start receiving Cannot generate SSPI context errors from sharepoint and KRB_AP_ERR_MODIFIED errors from kerberos logging.

So after a lot of searching we found that the error was staring us in the face.  We had named the sql service account the same as the machine name.  When they are the same name kerberos gets confused about the SPN.  So the fix was to rename the sql service account and redo the SPNs.  After rebooting all of the MOSS boxes, everything worked. 

Technorati Tags: ,