Accessing the Web client from a remote system as a Windows domain user

Symptom: When you access the Web client from a remote system as a Windows domain user, the client may experience an authentication or access denied error. An absent service principal name or an inaccurate registration of the service principal name (SPN) in the Active Directory domain may cause the error. The error is written to the System Event log as a Kerberos Error ID 4. The IIS generates the error.

Service principal names are associated with the user or group in whose security context the service executes. Service principal names support mutual authentication between a service and a client application. A service principal name is associated with an account. An account may have many service principal names. The SPN is the name the client application uses to identify the service.

If the SPN is not set for a service, the client applications cannot locate the service. Common error messages for not setting the SPN are the following:

Solution Create a unique SPN.

Setting an SPN requires the following information:

To set the SPN for a service, download the Microsoft Windows Server 2003 Support Tools or the Microsoft Windows Server 2003 Service Pack 1 Support Tools from the Microsoft download site.

To reset an SPN

  1. To ensure that there are no duplicate entries in WINS and DNS for the computer, type the following at a prompt:

    setspn.exe -R <BIOS name of the computer trying to connect to the Web client>

  2. Type the following at a prompt:

    setspn -A http/<FQDN of the computer that has the Web client and RAM Web Server installed.> < The account you use for ASP. The account must be a domain account domain\account. You cannot use local accounts.>