OK, that's starting to make some sense. I went back and checked what we did to set the SPN previously, and we set the SPN for HTTP/MOSS on the service account. Would I set the IP SPN on the service account object or the computer object?
I also checked the other items: The neither the computer account or the service account was trusted for delegation. So, I enabled the both the service account and the computer account for delegation on HTTP/MOSS. Would I need to add delegation for SPPS or the IP address here too? Time sync is good. ...Tim > -----Original Message----- > From: Troy Meyer [mailto:[EMAIL PROTECTED] > Sent: Friday, July 25, 2008 2:15 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > > It's the other way around. Kerberos will query for SPNs and then find > the machine (object) based on the dns lookup of what is in that SPN. > This is why good functional DNS is a HUGE part of Kerberos > authentication. Of course make sure you take care of the obvious > first: are both service account and machines trusted for delegation. > Is all time in sync for ticket distribution/expiration, etc. > > A good way to test your setup for kerb auth is using the LDP tool to > query by SPN and see what it returns. > > Remember contrary to many bloggers, you need ONLY the FQDN, and you can > only have an SPN registered once per IP (NOT PORT). > > Hope that helps a little, its kind of like that accounting 201 class, > once you understand how it all works together it seems like it all > makes sense. > > -Troy > > > From: Tim Evans [mailto:[EMAIL PROTECTED] > Sent: Friday, July 25, 2008 1:13 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > But, from what I understand, Kerberos is going to look up the object > based on what I type in (SPPS), so I'm not sure how it would find that > SPN record. And to Troy who suggested that I do it based on IP address, > I would have the same question. > > I guess I'll just have to try it and see what happens. > > > ...Tim > > From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] > Sent: Friday, July 25, 2008 12:53 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > Ken is the real expert on SPNs (I STILL have that thread saved), but if > your theory is true, then couldn't you just add the SPN to the computer > object of the Sharepoint FE server? Adsiedit, browse to the server > object. Edit SerivcePrincipalName and add the cname there? Don't know > what the longer-term effects might be though. For example, if you add > another FE server, what works now might become a problem. > > -Bonnie > > From: Tim Evans [mailto:[EMAIL PROTECTED] > Sent: Friday, July 25, 2008 12:39 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > Maybe I'm beating a dead horse here, but I've got to try :-) > > We've discovered that by disabling Kerberos authentication on the site > everything works perfectly. So, implied to me that there is a problem > with Kerberos authentication on that sharepoint site, which led me to a > very nice series about Kerberos on your blog. After reading thru them, > I think I understand the problem, I just don't know how to fix it. > Hopefully you or someone else here can advise. > The server's name is MOSS, but we access it with the name SPPS (set up > as a CNAME in DNS) via host headers. When we set it up, we set up a SPN > for HTTP and the sharepoint service account on MOSS. My theory is that > Kerberos is trying to look up a SPN for SPPS instead, which doesn't > exist, and I can't add one because it isn't an object in AD. > > Any thoughts? > > > ...Tim > > From: Tim Evans > Sent: Wednesday, May 21, 2008 6:04 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > Darn, Ken. I was counting on you to have a quick easy fix for this :-). > We're working on the Vista upgrade, but we're not quite ready to take > the plunge yet. > > Thanks anyway. > ...Tim > > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 21, 2008 5:44 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > I've been in a similar situation (trying to work out how to get WebDAV > rather than FP view working). Been through that paper, looking at > network packet captures, and all sorts of things. Pinged MVPs, > Microsoft people, and couldn't work it all out. > > Upgrade to Vista - the WebDAV redirector was completely rewritten for > Vista and works now :-) > > Cheers > Ken > > From: Tim Evans [mailto:[EMAIL PROTECTED] > Sent: Thursday, 22 May 2008 8:02 AM > To: NT System Admin Issues > Subject: Sharepoint Explorer View Issues > > We're having some problems with some users ability to use Explorer View > in shared documents folders on our MOSS server. The symptom is that the > get an authentication popup when they change from the All Documents > view to Explorer view. They cannot authenticate with the pop up, no > matter what credentials are used. If they cancel the popup, they get > in, but have reduced functionality (can't drag & drop, copy, etc). The > users affected by it appear to be completely random some with IE6, some > with IE7, nothing in common that I can see (all are XPSP2 or 3). > > Googling for help on this yields a bunch of blog entries that all point > to a 2006 MS White paper titled "Understanding and Troubleshooting the > Sharepoint Explorer View". From reading this white paper, it sounds > like we are getting FPRPC instead of WebDAV. Following the > troubleshooting steps, we have confirmed that the Web Client Service is > running, the content unencrypted over port 80. Manually adding the site > to the local intranet zone makes no difference (it shows unknown > zone/mixed by default). > > So, does anyone know how to force IE to use WebDAV on a Sharepoint > site? > > > ...Tim > > > > > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
