Service principal names, kerberos, IIS 7.0 and error 401: The requested resource requires user authentication
by mysticslayer on Aug.07, 2010, under Internet Information Services, SharePoint 2010, Software, Windows Server 2008
The last couple of days I was working at a customer where Kerberos was needed for SharePoint 2010. Of course I started to set the different Service Principal Names for my App Pool accounts, farm accounts, machines, etc. Not to hard to do it, but I ran everytime in a 401 error: The requsted resources requires user authentication.
Strange I thought, but yet I sended the Domain Administrator more commando’s and it didn’t help. So I checked everything, checked for duplicates, etc. Still I ran into these errors.
After some search I found out that there are some problems with IIS 7.0 regarding Kerberos, and I needed to configure the applicationHost.config to solve these issues with Kerberos. enabled the kernel activation mode, etc. But, it didn’t make any difference, rebooted several times, removed the Kernel Activation Mode and removed again the changed on the applicationHost.config.
I knew that we’ve made C-Name records and it gave me a wonderfull idea to change the C-Name records to A records. These changes where applied, and wow, in less time as expected I opened IE and opened the different web apps. In less then a second the page was displayed from my web app. When you run in these problems, change your C-Name record to A-record and it will fix all your problems with SPN’s, Kerberos and IIS 7.0
December 31st, 2010 on 19:08
Can you please provide instructions for how you changed the C-Records to A-Records?
January 1st, 2011 on 11:20
Hi Rudy,
Normally, the DNS Administrator or AD Administrator has the possibility to update DNS records. If you are working for a company you should ask the Administrator to do it. And then you’re finished.
Regards