10 hours!!!… Thats how long it took me to resolve a Kerberos issue.
It all started with finishing the installation of MOSS 2007 and then running the SharePoint Configuration wizard.
No major problems with this, I entered the SQL Server information, changed the default configuration database name and added the Service credentials.
Click next, and hit a wonderfully expansive error stating that I couldn’t connect to the farm or possibly using incorrect credentials. So I checked everything, group memberships, Server names, DNS settings. All I had in the Security event log was a very bare Event 529, against the Kerberos login method.
In the end, I decided to try and set-up a simple ODBC connection using a system DSN, and thats when I came across the rather more useful error “Cannot generate SSPI Context”
Well this at least pointed me to a reaosnably good KB article that covered this error in a more expansive way. KB811889 – How to troubleshoot the “Cannot generate SSPI context” error message
From that, I found another useful explanation of SQL’s authentication methods..
Understanding Kerberos and NTLM authentication in SQL Server Connections
And finally from this, worked out that because I was running the SQL Service under a domain account, it needed to be able to set it’s own SPN (Service Principle Name) for Kerberos, and therefore required to be a member of the Domain Admins.
I added the username to this group, restarted SQL, and lo and behold, I connected straight away.
So this now leaves me with a dilemma, do I leave the SQL server service running as a domain admin and tie it down through Group policy, or do i continue trying to find a better way to run under a normal domain user account…