Kerberos delegation with machine alias

[Cam]

machineA.localnetwork.com - Server 2003 running MS SQL Server
machineB.localnetwork.com - Server 2003 running IIS and SQL Server Reporting
Services and connecting to SQL Server on machineA
machineC.localnetwork.com - XP running IE and connecting to IIS on machineB

Thanks to the "Troubleshooting Kerberos Delegation" whitepaper, everything
is working correctly. I just have one more problem I hope is minor to solve.

Now, I would like to assign an alias to machineB so we can always connect
using the same address (in case one day reporting services is moved to
another machine), such as "reports.localnetwork.com".

In DNS, I created a CNAME called "reports.localnetwork.com" which points to
"machineB.localnetwork.com". When "machineC.localnetwork.com" connects to
"machineB.localnetwork.com", IE prompts for a password. When the domain
user's is entered, the Reporting Services home page is displayed. However,
when any reports are run, this message is displayed:
Login failed for user '(null)'. Reason: Not associated with a trusted SQL
Server connection.

I also turned on DisableStrictNameChecking on machineB and restarted it as
described in KB 281308. This did not help.

 

[Brian Komar]

Did you register the Service Principal Name "HOST/reports.localnetwork.com"
at machineB.localnetwork.com?
setspn -a HOST/HOST/reports.localnetwork.com Domain\machineb
Brian

"Cam" <Cam@discussions.microsoft.com> wrote in message
news:E6DDE710-7108-4E72-ADDF-792A2116CF50@microsoft.com...
> machineA.localnetwork.com - Server 2003 running MS SQL Server
> machineB.localnetwork.com - Server 2003 running IIS and SQL Server
> Reporting
> Services and connecting to SQL Server on machineA
> machineC.localnetwork.com - XP running IE and connecting to IIS on
> machineB
>
> Thanks to the "Troubleshooting Kerberos Delegation" whitepaper, everything
> is working correctly. I just have one more problem I hope is minor to
> solve.
>
> Now, I would like to assign an alias to machineB so we can always connect
> using the same address (in case one day reporting services is moved to
> another machine), such as "reports.localnetwork.com".
>
> In DNS, I created a CNAME called "reports.localnetwork.com" which points
> to
> "machineB.localnetwork.com". When "machineC.localnetwork.com" connects to
> "machineB.localnetwork.com", IE prompts for a password. When the domain
> user's is entered, the Reporting Services home page is displayed. However,
> when any reports are run, this message is displayed:
> Login failed for user '(null)'. Reason: Not associated with a trusted SQL
> Server connection.
>
> I also turned on DisableStrictNameChecking on machineB and restarted it as
> described in KB 281308. This did not help.

 

[Cam]

> Did you register the Service Principal Name "HOST/reports.localnetwork.com"
> at machineB.localnetwork.com?
> setspn -a HOST/HOST/reports.localnetwork.com Domain\machineb
> Brian

Thanks for the hint. After registering the SPN, I can now run the reports.

However, when I point IE to "reports.localnetwork.com", IE still prompts for
a password, whereas pointing IE to machineB.localnetwork.com does not prompt
for password. Is there a minor detail to work out?