Another Kerberos riddle: SmartObject unauthorized to list docLib items

  • 12 December 2007
  • 6 replies
  • 1 view
N
Badge +8

I have deployed a VERY simple SmartObject. It has only one method: GetList, which is of type "List", configured as "Continue". This method is bound to a Sharepoint ServiceObject method, which is actually a document library Get List method. I set my SO properties as the ones returned by the method.


When I try to use this SmartObject with the SmartObjectViewer ASP.Net application, I get "Error :The request failed with HTTP status 401: Unauthorized".


Investigating with Windows event viewer and Wireshark, I figured out it has something to do with Kerberos (the detailed error is 401.1), but I don't know what! Probably a missing SPN.


The architecture is the following:


- Server A is the MOSS front-end and, K2 workspace server, and the SmartObjectViewer web application


- Server B is the K2 Server (SmartObjects, ServiceObjects, Workflow)


There is only one service account used for everything. It has SPNs defined for K2 (BlackpearlServer and K2Server), for the involved host headers, and all the machines.


The scenario: I call my SO methodusing the SmartObjectViewer (server A), it should then query the SO server (server B), which will query MOSS (server A) to get the list.

6 replies

J
Badge +3

A few things to check. 


 1) Both server objects in AD have delegation enabled on their delegation tab


2) You've got SPN's enabled for:


a) The netbios and FQDN of both servers for the service account
b) Http as well as k2server and blackpearlserver


3) All IIS app pools are using the service account


A list of your setspn -L output for the service account will be helpful in troubleshooting.

N
Badge +8

Everything checked in this first checklist.


I feel so frustrated when I get this kind of error.

N
Badge +8

I've spotted something which I can't believe / understand (depending on if I really turned mad or not). Have a look at this capture:


 K2 Security Label


Why is there a K2 security label here?? It's not surprising then if Kerberos can't do its job...

C
Badge +10
That is very weird.  I know we add K2 to be part of the spn but never seen that in the domain name.  Has anyone else see this?
J
Badge +3
Can you post the output of the SETSPN -L command against your service account?
N
Badge +8

I fear it won't help but here it is:


    K2Server/FQDNServerB:5353
    K2Server/NetBiosServerB:5353
    K2Server2003/FQDNServerB
    K2Server2003/NetBiosServerB
    BlackPearlServer/FQDNServerB:5555
    BlackPearlServer/NetBiosServerB:5555
    http/FQDNK2WorkspaceSite
    http/NetBiosK2WorkspaceSite
    http/FQDNServerA
    http/NetBiosServerA


Port Number is 5353 because we had to change it (we have K2.net 2003)


We're not using host header for our MOSS sites, that's why we only have SPN for the server name

Reply


View our Community Site Map

Nintex Community Sitemap
Terms & ConditionsCookie settings