SPN for Index Server

  • Article

If you had followed our blog post Configuring Kerberos Delegation (without infrastructure update), you might have noticed that we had asked you to setup an SPN for the Index server. You might ask why and how does the Index server come into picture when all I want to do is setup Kerberos for Excel Services. Allow us to explain:

As we had mentioned in our Enterprise Search blog post, Office Server Web services web site contains ECS as well as Search component for each of the SSPs created in the farm. Setting up SPN's for Ids 1, 2 and 4 (Configuring Kerberos Delegation (without infrastructure update)) would force both the search services (Central Administration and SSP administration) to use Kerberos protocol.

If Index and ECS roles are assigned to separate servers during the farm setup, and as a pre-requisite for Kerberos authentication, let us say you would have created a SPN in KDC for Ids 1, 2 and 4 from Step 1 and completed Step 2 and 3. Now if you try to access the search settings page under the SSP (/ssp/admin/_layouts/searchsspsettings.aspx) you would encounter authentication failure to access SSP search administration pages. The error message on the UI would be similar to:

"The search service is currently offline. Visit the Services on Server page in SharePoint Central Administration to verify whether the service is enabled. This might also be because an indexer move is in progress."

while the more descriptive errors in the ULS logs would be:

Exception caught in Search Admin web-service proxy (client). System.Net.WebException: The request failed with HTTP status 401: Unauthorized.

at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)

at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

at Microsoft.Office.Server.Search.Administration.SearchWebServiceProxy.RunWithSoapExceptionHandling[T](String methodName, Object[] parameters)

To resolve this issue ensure an SPN for the index server is setup using the SSP account as Id 3 prescribes in the blog post Configuring Kerberos Delegation (without infrastructure update).