Setup kerberos in SSRS (Denali) RRS feed

  • Question

  • Hi,

    My customer want to setup Kerberos on Denali SSRS. Their environment consist of:

    ·         Two front-end SPS 2010 in NLB (WEB01, WEB02). Network Load Balancer is a Cisco ASA box. The Network Load Balancer point to two web servers (WEB01 and WEB02) which are windows 2008 R2 boxes as member servers of the domain.

    ·         Two application servers (BIAPP-01, BIAPP-02) which host SPS2010 services (Excel services, Visio services,… and SQL Server Reporting Sevices

    ·          Two nodes sql failover cluster (denali). There are installed more sql and ssas instancies but sharepoint content, repoting databases and tested adventureworks database are on the instance SPSQL\SPSSQL.


    When I created a new shared connection to the AdventureWorks database in reporting library with selected Integrated windows authentication I received following error msg:

    Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'


    I was logged into sharepoint as domain\sauser user. This account is in sql sysadmin role.

    It looks that Kerberos is not working correctly.


    I will greatly appreciate any advice that can be given. It is blocking deployment so I need to solve it asap.

    Please, let me know if somebody can help. Bellow is the set of SPNs were been registered. 

    Thank you so much.



    Btw: I registered following SPN:


    ##SQL1 (SharePoint Server) Named Instance of SPSQL on port 61000.  

    setspn -S MSSQLSvc/SPSQL.Sageukie.adinternal.com:61000 Domain\SPSQLSVR

    setspn -S MSSQLSvc/SPSQL:61000 Domain\SPSQLSVR



    setspn -S HTTP/reports.Domain.adinternal.com Domain\ReportingSvcs

    setspn -S HTTP/reports Domain\ReportingSvcs

    setspn -S HTTP/BI.Domain.adinternal.com:80 Domain\ReportingSvcs

    setspn -S HTTP/BI:80 Domain\ReportingSvcs

    setspn -S HTTP/BI.Domain.adinternal.com Domain\ReportingSvcs

    setspn -S HTTP/BI Domain\ReportingSvcs

    setspn -S HTTP/BIAPP-01.Domain.adinternal.com Domain\ReportingSvcs

    setspn -S HTTP/BIAPP-01 Domain\ReportingSvcs

    setspn -S HTTP/BIAPP-02.Domain.adinternal.com Domain\ReportingSvcs

    setspn -S HTTP/BIAPP-02 Domain\ReportingSvcs


    ##Portal Site

    setspn –S HTTP/BI Domain\svc-portal

    setspn –S HTTP/BI.Domain.adinternal.com Domain\svc-portal

    setspn –S HTTP/BI:55555 Domain\svc-portal

    setspn –S HTTP/BI.Domain.adinternal.com:55555 Domain\svc-portal


    ##PerformancePoint site

    setspn -S SP/svcPPS Domain\svc-pps



    ##Excel Services

    setspn -S SP/ExcelServices Domain\svc-excel


    ##Visio Services

    setspn -S SP/VisioServices Domain\svc-visio


    ##Claims to Windows token

    setspn -S SP/C2WTS Domain\svc-c2wts




    Saturday, November 5, 2011 8:19 PM


All replies

  • Hello Martin,

    could you already solve your problem? I ran into the same issue.

    Best Regards


    Wednesday, November 23, 2011 6:13 PM
  • Hi Mario,

    PSS team is solving it now. I can let you know the result.


    Wednesday, November 23, 2011 6:19 PM
  • Is there a resolution for this yet?

    I'm trying to get SSRS 2012 running in SharePoint integrated mode in a farm with Kerberos configured (it was set up and working with SSSRS 2008 R2). I'm getting the following errors in the ULS log when attempting to create a Report Data Source:

    1. Microsoft.ReportingServices.ReportProcessing.ReportProcessingException: Cannot impersonate user for data source
    2. Microsoft.ReportingServices.Diagnostics.Utilities.ClaimsToWindowsTokenException: Cannot convert claims identity to windows token

    Any help or direction would be greatly appreciated!


    Thursday, February 16, 2012 6:49 PM
  • Friday, March 2, 2012 1:48 PM