Hi Ken, Great info! Thanks! Tom
Thomas W. Shinder, M.D. || Sr. Consultant / Technical Writer [EMAIL PROTECTED] || www.prowessconsulting.com Mobile: Pending || Phone: Pending || Fax (206) 443.1119 Blog: http://blogs.isaserver.org/shinder || Books: http://tinyurl.com/2gpoo8 PROWESS CONSULTING || documentation || integration || virtualization > -----Original Message----- > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > Sent: Friday, July 25, 2008 9:32 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > Huh? This doesn't make sense. > > SPNs can include a port number: MSSQL/yourserver:1433 is different to > MSSQL/yourserver:30000 for example. > > Kerberos works by having the client say to the DC "I wish to connect to this > service: > http/yourserver" and the KDC hosted by AD looks in the AD database and finds > the > computer or user account that http/yourserver is registered under: > > How Kerberos works > http://www.adopenstatic.com/cs/blogs/ken/archive/2006/10/20/512.aspx > > How SPNs work and how to add them > http://www.adopenstatic.com/cs/blogs/ken/archive/2006/11/19/606.aspx > > Simple authentication scenario > http://www.adopenstatic.com/cs/blogs/ken/archive/2007/01/16/1054.aspx > > And there's another 5 most posts in my FAQ: > http://www.adopenstatic.com/faq/ > > Cheers > Ken > > -----Original Message----- > From: Troy Meyer [mailto:[EMAIL PROTECTED] > Sent: Saturday, 26 July 2008 7:15 AM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > > It's the other way around. Kerberos will query for SPNs and then find the > machine > (object) based on the dns lookup of what is in that SPN. This is why good > functional > DNS is a HUGE part of Kerberos authentication. Of course make sure you take > care of > the obvious first: are both service account and machines trusted for > delegation. Is all > time in sync for ticket distribution/expiration, etc. > > A good way to test your setup for kerb auth is using the LDP tool to query by > SPN and > see what it returns. > > Remember contrary to many bloggers, you need ONLY the FQDN, and you can only > have an SPN registered once per IP (NOT PORT). > > Hope that helps a little, its kind of like that accounting 201 class, once > you understand > how it all works together it seems like it all makes sense. > > -Troy > > > From: Tim Evans [mailto:[EMAIL PROTECTED] > Sent: Friday, July 25, 2008 1:13 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > But, from what I understand, Kerberos is going to look up the object based on > what I > type in (SPPS), so I'm not sure how it would find that SPN record. And to > Troy who > suggested that I do it based on IP address, I would have the same question. > > I guess I'll just have to try it and see what happens. > > > ...Tim > > From: Miller Bonnie L. [mailto:[EMAIL PROTECTED] > Sent: Friday, July 25, 2008 12:53 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > Ken is the real expert on SPNs (I STILL have that thread saved), but if your > theory is > true, then couldn't you just add the SPN to the computer object of the > Sharepoint FE > server? Adsiedit, browse to the server object. Edit SerivcePrincipalName > and add the > cname there? Don't know what the longer-term effects might be though. For > example, if you add another FE server, what works now might become a problem. > > -Bonnie > > From: Tim Evans [mailto:[EMAIL PROTECTED] > Sent: Friday, July 25, 2008 12:39 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > Maybe I'm beating a dead horse here, but I've got to try :-) > > We've discovered that by disabling Kerberos authentication on the site > everything > works perfectly. So, implied to me that there is a problem with Kerberos > authentication on that sharepoint site, which led me to a very nice series > about > Kerberos on your blog. After reading thru them, I think I understand the > problem, I just > don't know how to fix it. Hopefully you or someone else here can advise. > The server's name is MOSS, but we access it with the name SPPS (set up as a > CNAME > in DNS) via host headers. When we set it up, we set up a SPN for HTTP and the > sharepoint service account on MOSS. My theory is that Kerberos is trying to > look up a > SPN for SPPS instead, which doesn't exist, and I can't add one because it > isn't an > object in AD. > > Any thoughts? > > > ...Tim > > From: Tim Evans > Sent: Wednesday, May 21, 2008 6:04 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > Darn, Ken. I was counting on you to have a quick easy fix for this :-). We're > working on > the Vista upgrade, but we're not quite ready to take the plunge yet. > > Thanks anyway. > ...Tim > > > From: Ken Schaefer [mailto:[EMAIL PROTECTED] > Sent: Wednesday, May 21, 2008 5:44 PM > To: NT System Admin Issues > Subject: RE: Sharepoint Explorer View Issues > > I've been in a similar situation (trying to work out how to get WebDAV rather > than FP > view working). Been through that paper, looking at network packet captures, > and all > sorts of things. Pinged MVPs, Microsoft people, and couldn't work it all out. > > Upgrade to Vista - the WebDAV redirector was completely rewritten for Vista > and > works now :-) > > Cheers > Ken > > From: Tim Evans [mailto:[EMAIL PROTECTED] > Sent: Thursday, 22 May 2008 8:02 AM > To: NT System Admin Issues > Subject: Sharepoint Explorer View Issues > > We're having some problems with some users ability to use Explorer View in > shared > documents folders on our MOSS server. The symptom is that the get an > authentication popup when they change from the All Documents view to Explorer > view. They cannot authenticate with the pop up, no matter what credentials > are used. > If they cancel the popup, they get in, but have reduced functionality (can't > drag & drop, > copy, etc). The users affected by it appear to be completely random some > with IE6, > some with IE7, nothing in common that I can see (all are XPSP2 or 3). > > Googling for help on this yields a bunch of blog entries that all point to a > 2006 MS > White paper titled "Understanding and Troubleshooting the Sharepoint Explorer > View". From reading this white paper, it sounds like we are getting FPRPC > instead of > WebDAV. Following the troubleshooting steps, we have confirmed that the Web > Client > Service is running, the content unencrypted over port 80. Manually adding the > site to > the local intranet zone makes no difference (it shows unknown zone/mixed by > default). > > So, does anyone know how to force IE to use WebDAV on a Sharepoint site? > > > ...Tim > > > > > > > > > > > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
