Receiving “You are not authorized…” 401.1 error when accessing RAM Web Portal from remote machine.
Last Updated December 02, 2013
Symptoms When you access the Web client from a remote system as a Windows
domain user, the client may experience an authentication or access denied error. An absent service principal name or an inaccurate registration of the service principal name (SPN) in the Active Directory domain may cause the error. The error is written to the System Event log as a Kerberos Error ID 4. The IIS generates the error.
Service principal names are associated with the user or group in whose security context the service executes. Service principal names support mutual authentication between a service and a client application. A service principal name is associated with an account. An account may have many service principal names. The SPN is the name the client application uses to identify the service. If the SPN is not set for a service, the client applications cannot locate the service. Common error messages for not setting the SPN are the following:
- KDC_ERR_C_PRINCIPAL_UNKNOWN or KDC_ERR_S_PRINICIPAL_UNKNOWN
- Other errors may be caused by a missing or an incorrectly set SPN. Kerberos authentication relies on properly set SPNs.
Create a unique SPN.
Setting an SPN requires the following information: - SPN service class assigned to the service - The account under which the service is running - The host computer name to which the SPN belongs The computer name should include all of the names by which the computer on which the service is running can be referenced. The information includes a NetBIOS name, a fully qualified domain name (FQDN), and any aliases assigned to the computer. A separate SPN must be set for each name by which the computer can be referenced. - The port that the service is running on Include the port information even if the information is the default part for that service.
To set the SPN for a service, download the Microsoft Windows Server 2003 support tools from the Microsoft download site.
To reset an SPN
1 To ensure that there are no duplicate entries in WINS and DNS for the computer, type the following at a prompt:
<BIOS name of the computer trying to connect to the Web client>
2 Type the following at a prompt:
setspn -A http/<FQDN of the computer that has the Web client and RA_webcore installed.> < The account you use for ASP. The account must be a domain account. You cannot use a local account unless you use domain\user.>
Imported Document ID: TECH115436
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe