Accessing the Web client from a remote system as a Windows domain user

Symptom: When you access the Web client from a remote system as a Windows domain user, the client may experience an authentication or access denied error. An absent service principal name or an inaccurate registration of the service principal name (SPN) in the Active Directory domain may cause the error. The error is written to the System Event log as a Kerberos Error ID 4. The IIS generates the error.

Service principal names are associated with the user or group in whose security context the service executes. Service principal names support mutual authentication between a service and a client application. A service principal name is associated with an account. An account may have many service principal names. The SPN is the name the client application uses to identify the service.

If the SPN is not set for a service, the client applications cannot locate the service. Common error messages for not setting the SPN are the following:

KDC_ERR_C_PRINCIPAL_UNKNOWN or KDC_ERR_S_PRINICIPAL_UNKNOWN
A missing or an incorrectly set SPN causes other errors. Kerberos authentication relies on properly set SPNs.

Solution Create a unique SPN.

Setting an SPN requires the following information:

SPN service class assigned to the service
Account under which the service is running
Host computer name to which the SPN belongs

The computer name should include all of the names by which the computer where the service is running can be referenced. The information includes a NetBIOS name, a fully qualified domain name (FQDN), and any aliases assigned to the computer. A separate SPN must be set for each name by which the computer can be referenced.
Port that the service is running on

Include the port information even if the information is the default part for that service.

To set the SPN for a service, download the Microsoft Windows Server 2003 Support Tools or the Microsoft Windows Server 2003 Service Pack 1 Support Tools from the Microsoft download site.

To reset an SPN

To ensure that there are no duplicate entries in WINS and DNS for the computer, type the following at a prompt:

setspn.exe -R <BIOS name of the computer trying to connect to the Web client>
Type the following at a prompt:

setspn -A http/<FQDN of the computer that has the Web client and RAM Web Server installed.> < The account you use for ASP. The account must be a domain account domain\account. You cannot use local accounts.>