Kerberos SO CLOSE to working

  • 17 September 2009
  • 1 reply
  • 1 view

Badge +4

Hey guys...

For our production environment, we are operating our servers in a child domain, EXTERNAL.ORGANIZATION.COM, so that we can have them in the DMZ and accessible via the internet at large. Our normal, internal, parent domain is ORGANIZATION.COM.

We have all the SPNs set as they should be, etc., and everything seems to be working fine... except one thing.

When you open the K2 workspace, and click on process overview, it loads the report fine... if you're running the site from a box sitting in the EXTERNAL.ORGANIZATION.COM domain.  If you're running the site from a box in the ORGANIZATION.COM domain, you get the dreaded 401 not authorized error.

Kerberos seems to be working properly from the EXTERNAL domain, what can I do to get it working as it should from both? I should note that going to the K2 workspace site, or the reporting services site (on another machine) directly works fine.  However it's the double-hops that don't work... for example, you get an error if you go the reporting services site, then actually try to run the process overview report from there (error communicating with the K2 server).

If you do the same thing from a box in the External domain, the double-hop works fine.

Any guidance?


1 reply

Badge +4

Well, I figured it out.  For anyone else who ever has this type of issue, check your config files.  Any references to computers in other domains in your forest need to be in FQDN form.  That's it.