Troubleshooting Other Issues

Cannot Connect to the Configuration Database Message

I get a "cannot connect to the configuration database" message when I try to set the configuration database for Microsoft Windows SharePoint Services.

If you are using SQL Server authentication, and the password associated with the SQL Server system account used to connect to the Microsoft SQL Server databases has expired or changed, you will see a "cannot connect to the configuration database" message until you reset the password in SQL Server. For more information about changing passwords in SQL Server, see Help in SQL Server Enterprise Manager.

You may also see this message if the application pool for the administration virtual server does not have the appropriate rights to the databases in SQL Server. The administration virtual server's application pool account must be a member of the Security Administrators and Database Creators roles for SQL Server, and that account should also be the database owner of the configuration database. The application pool accounts for additional virtual servers must also be database owners for the configuration database, in order to create and manage the content databases for that virtual server.

Verify also that the account for the administration virtual server's application pool is in the both IIS_WPG and STS_WPG local groups. If the account for the application pool is not in these local groups, add the account to these local groups.

 Note   You may also see a "service unavailable" message if the password for an Internet Information Services (IIS) application pool identity has changed or expired. For more information about changing passwords for application pool identities, see Service Unavailable Message in this topic.

Database Already Exists Message

When I try to manage a content database on the Manage Content Databases page in SharePoint Central Administration, I get one of the following error messages:

  • Database database_name already exists. (Error code: 1801)
  • The current user or the application pool identity of the virtual server is not the owner of the database database_name on server servername\sharepoint.

This issue may occur when the database owner of the database that you are connecting to is different from the application pool identity that Windows SharePoint Services is running under. To resolve this issue, you must change the database ownership and the permissions for the content database to match the identities of the virtual server accounts for content and configuration. The steps for changing the database ownership differ depending on whether you are running SQL Server or Microsoft SQL Server 2000 Desktop Engine (Windows) (WMSDE).

This issue is also covered by article 828815 in the Microsoft Knowledge Base.

Changing the Configuration Database Ownership and Permissions for SQL Server

If you are running Microsoft SQL Server, you can change the ownership and permissions on your configuration database. The steps differ between SQL Server 2000 and SQL Server 2005, as detailed in the following procedures.

Change the configuration database ownership and permissions in SQL Server 2000
  1. On the new server, click Start, point to All Programs, point to Microsoft SQL Server, and then click Query Analyzer.
  2. In the Connect to SQL Server dialog box, in the SQL Server box, type the server name, and then click OK.
  3. On the Query menu, click Change Database.
  4. In the Select Database of server_name box, click the configuration database (sts_config), and then click OK.
  5. In the Query pane, type the following query.

 Note   In lines 3 and 4 of the query, replace domain\contentaccount and domain\adminaccount with the domain account for the content virtual server and the domain account for the SharePoint Central Administration virtual server. If the accounts are the same, SQL Query Analyzer will display an error, but the process will still succeed.

DECLARE @AdminVSAccount nvarchar(255)
DECLARE @ContentVSAccount nvarchar(255)
SET @ContentVSAccount = N'domain\contentaccount'; 
SET @AdminVSAccount = N'domain\adminaccount'; 
EXEC sp_grantlogin @ContentVSAccount;
EXEC sp_grantlogin @AdminVSAccount;
EXEC sp_changedbowner @AdminVSAccount;
IF NOT EXISTS (SELECT * FROM sysusers WHERE name=@ContentVSAccount) 
EXEC sp_grantdbaccess @ContentVSAccount; 
EXEC sp_addrolemember 'db_owner', @ContentVSAccount; 
  1. Click the Execute Query button to update the database.
Change the configuration database ownership and permissions in SQL Server 2005
  1. On the server running SQL Server 2005, click Start, point to All Programs, point to Microsoft SQL Server 2005, and then click SQL Server Management Studio.
  2. On the Connect to Server page, select the name of the local server from the Server name drop-down list.
  3. Select Windows Authentication from the Authentication drop-down list and then click Connect.
  4. In Object Explorer, click the plus sign (+) next to the Databases node.
  5. Right-click the configuration database (STS_Config, by default) and then click New Query.
  6. In the Query pane, type the following query.

 Note   In lines 3 and 4 of the query, replace domain\contentaccount and domain\adminaccount with the domain account for the content virtual server and the domain account for the SharePoint Central Administration virtual server. If the accounts are the same, SQL Query Analyzer will display an error, but the process will still succeed.

DECLARE @AdminVSAccount nvarchar(255)
DECLARE @ContentVSAccount nvarchar(255)
SET @ContentVSAccount = N'domain\contentaccount'; 
SET @AdminVSAccount = N'domain\adminaccount'; 
EXEC sp_grantlogin @ContentVSAccount;
EXEC sp_grantlogin @AdminVSAccount;
EXEC sp_changedbowner @AdminVSAccount;
IF NOT EXISTS (SELECT * FROM sysusers WHERE name=@ContentVSAccount) 
EXEC sp_grantdbaccess @ContentVSAccount; 
EXEC sp_addrolemember 'db_owner', @ContentVSAccount; 
  1. On the toolbar, click the Execute button to run the query and update the database.

Changing the Database Ownership and Permissions for WMSDE

If you are running WMSDE, you must perform the following steps: Add the Network Service account to the SYSADMIN role for WMSDE, then use the Manage Content Database page to add the database back to the virtual server, and then remove Network Service from the SYSADMIN role.

Set Network Service as SYSADMIN for WMSDE
  1. Click Start, point to All Programs, point to Accessories, and then click Command Prompt.
  2. At the command prompt, type the following command (where servername is the name of your server) and then press ENTER.

osql -S servername\sharepoint -E

  1. Type the following command and then press ENTER.

sp_addsrvrolemember 'nt authority\network service', 'sysadmin'

  1. Type go, and then press ENTER.

After the Network Service account has been added to the SYSADMIN role, you can add the content database to the virtual server.

Add the content database
  1. Click Start, point to All Programs, point to Administrative Tools, and then click SharePoint Central Administration.
  2. On the SharePoint Central Administration page, under Virtual Server Configuration, click Configure virtual server settings.
  3. On the Virtual Server List page, click the virtual server you want to add the content database to.
  4. On the Virtual Server Settings page, under Virtual Server Management, click Manage content databases.
  5. On the Manage Content Databases page, under Content Databases, click Add a content database.
  6. In the Database Information section, click Specify database server settings.
  7. In the Database server box, type the name of the database server.
  8. In the Database name box, type the name of the database.
  9. In the Database Capacity Settings section, type a number in the Number of sites before a warning event is generated box.
  10. Type a number in the Maximum number of sites that can be created in this database box.
  11. Click OK.

After the content database has been restored, you can reset the SYSADMIN role to not include the Network Service account.

Restore the SYSADMIN role
  1. At the OSQL command prompt, type the following command and then press ENTER.

sp_dropsrvrolemember 'nt authority\network service', 'sysadmin'

  1. Type go, and then press ENTER.

General Site Use Issues

  • Site users report that they can't get to a list, document library, discussion board, or survey, yet I can see it listed on the Document Libraries, Discussion Boards, or Lists page.

The default view may have been deleted. Do one of the following:

  • Set an existing view as the default view.
  • Create a new view to use as the default view.

 Note   To specify a default view or create a new view you must be a member of the Web Designer site group or a site group that has the Manage Lists right.

  • I can no longer modify a view by using my Web browser.

If a view is modified extensively by using a Windows SharePoint Services-compatible Web page editor, such as Microsoft Office FrontPage 2003, it can no longer be modified in the Web browser.

 Note   To modify a view you must be a member of the Web Designer site group or a site group that has the Manage Lists right.

  • I can't get custom Active Server Pages to work correctly on my site.

By default, the ISAPI filter for Windows SharePoint Services blocks the use of any ASP pages that are not part of the installation. If you want to use custom ASP pages with your SharePoint sites, you must put the ASP pages in a separate virtual directory and create an excluded path for the directory in . This allows Internet Information Services (IIS), rather than , to control the directory and allows the ASP pages to run. Also, IIS does not allow ASP pages to be displayed by default. You may also need to allow Active Server Pages in IIS before your custom Active Server Pages work correctly. For more information, see the IIS Help system. Active Server Pages issues are also covered by article 828810 in the Microsoft Knowledge Base.

 Note   To perform these steps, you must be a member of the local Administrators group on the server running .

Full-Text Search Issues

  • Full-text searching does not include any file types other than .doc, .xls, .ppt, .txt, and .htm in the search results.

If you are using the full-text searching for Microsoft SQL Server 2000 or SQL Server 2005, the following filters are installed by default: .doc, .xls, .ppt, .txt, and .htm. You can install custom filters to allow you to search other file types. For more information about enabling full-text searching, see Managing and Customizing Search. For more information about adding filters to SQL Server full-text searching, see the SQL Server 2000 or SQL Server 2005 documentation.

  • I can't enable search for a server.

Is your server running -compatible search server software, such as Microsoft SQL Server 2000 or SQL Server 2005? By default, Windows SharePoint Services installs the Microsoft SQL Server 2000 Desktop Engine (Windows) (WMSDE) database. However, to enable the search functionality, the server's back-end database must be running Microsoft SQL Server 2000, SQL Server 2005, or another Windows SharePoint Services-compatible search server.

Is your server part of a server farm? If each server in the server farm is not running Windows SharePoint Services-compatible search server software, such as Microsoft SQL Server 2000 or SQL Server 2005, the search controls may not appear. To resolve this problem, make sure that all servers in the server farm are running Windows SharePoint Services-compatible search server software.

  • Enabling full-text searching has failed.

If you are enabling full-text searching with Microsoft SQL Server in a server farm environment, the process can time out or fail if one of the servers is offline or has a hard disk drive failure. If enabling full-text searching is taking more than a minute or two, you can restart the SQL Server services and run two stored procedures to enable searching. The steps differ between SQL Server 2000 and SQL Server 2005, as detailed in the following procedures.

Restart the SQL Server 2000 processes and run stored procedures
  1. On your computer running SQL Server 2000, open a command prompt and run the following commands:

net stop mssearch

net stop mssqlserver

net start mssqlserver

net start mssearch

  1. Open SQL Server Query Analyzer.
  2. Run the following stored procedures on the content databases:

exec proc_DisableFullTextSearch

exec proc_EnableFullTextSearch

 Note   After you run the proc_EnableFullTextSearch stored procedure, you may see the following warnings. These warnings do not affect Windows SharePoint Services.

Warning: Table 'UserData' does not have the option 'text in row' enabled and has full-text indexed columns that are of type image, text, or ntext. Full-text change tracking cannot track WRITETEXT or UPDATETEXT operations performed on these columns.

Warning: Table 'Docs' does not have the option 'text in row' enabled and has full-text indexed columns that are of type image, text, or ntext. Full-text change tracking cannot track WRITETEXT or UPDATETEXT operations performed on these columns.

Restart the SQL Server 2005 processes and run stored procedures
  1. On your computer running SQL Server 2005, open a command prompt and run the following commands:

net stop msftesql

net stop mssqlserver

net start mssqlserver

net start msftesql

  1. Open SQL Server Management Studio.
  2. Run the following stored procedures on the content databases:

exec proc_DisableFullTextSearch

exec proc_EnableFullTextSearch

 Note   After you run the proc_EnableFullTextSearch stored procedure, you may see the following warnings. These warnings do not affect Windows SharePoint Services.

Warning: Table or indexed view 'UserData' has full-text indexed columns that are of type image, text, or ntext. Full-text change tracking cannot track WRITETEXT or UPDATETEXT operations performed on these columns.

Warning: Table or indexed view 'Docs' has full-text indexed columns that are of type image, text, or ntext. Full-text change tracking cannot track WRITETEXT or UPDATETEXT operations performed on these columns. Warning: Table or indexed view 'Lists' has full-text indexed columns that are of type image, text, or ntext. Full-text change tracking cannot track WRITETEXT or UPDATETEXT operations performed on these columns.

Restoring a List, List Item, or Document

  • A user deleted an item, document, or list, and now needs to recover it.

If you have a recent backup of either the content database or the site, you can restore the backup to a new, temporary server or site, and then copy the deleted item, document, or list to the original site. After you have recovered the list, item, or document, you can delete the restored version of the database or site. For more information, see Backing Up and Restoring Databases and Backing Up and Restoring Web Sites.

 Note   To copy an entire list or document library, save the list or document library (including the content) as a list template, and then import the list template and create a list or document library based on that template. When you include the content in the template, your new instance of the list includes all of the items or documents from the old list. List templates do not include per-list permission settings or created by or modified by data from the original list. For information about creating a list template, see Working with Templates.

Service Unavailable Message

  • I get a "service unavailable" message when I try to view my site or the administration pages for my site or server.

If the password for the application pool for a virtual server has expired or changed, you will see a "service unavailable" message until you reset Internet Information Services (IIS) and SQL Server to accept the new password.

 Note   You may also see a "cannot connect to configuration database" error message if you are using SQL Server authentication and the password associated with the system account for SQL Server has expired or changed. If you see this message, you must reset the password in SQL Server. For more information about changing passwords in SQL Server 2000, see Help in SQL Server Enterprise Manager. For more information about changing passwords in SQL Server 2005, see Help in SQL Server Management Studio.

Reset an application pool password in IIS
  1. Click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. Click the plus sign next to your server name.
  3. Click the plus sign next to Application Pools.
  4. Right-click the application pool that needs to be updated, and then click Properties.
  5. In the "Application Pool ID" Properties dialog box, click the Identity tab.
  6. Under Application pool identity, in the Password box, type the new password, and then click OK.
  7. In the Confirm Password dialog box, type the password again, and then click OK.

After you change the password in IIS, you must restart IIS to connect with the new password. To restart IIS, type iisreset on the command line.

Security Issues

  • I want to prevent users from seeing links to areas in this site, such as Site Administration.

Rather than hiding links and controls from users, checks users' rights when they click links or try to perform actions on the site. If a user is not a member of a site group or cross-site group with the proper rights, he or she cannot enter site administration or change the settings for a site, list, or library. There are no administrative controls to hide links from unauthorized users.

  • I've deleted users from my site, but I'm still being notified that my quota is full and I can't add any more users.

To have any effect on your user quota, users must be removed at the site collection level. You can do this by using SharePoint Central Administration or the Manage Site Collection Users page in Site Administration. Removing users from individual sites will not allow you to add more users. To remove site collection users by using the Site Administration pages, do the following:

  1. On the top link bar, click Site Settings.
  2. In the Administration section, click Go to Site Administration.
  3. In the Site Collection Administration section, click View site collection user information.
  4. Select the check box next to the users that you want to delete, and then click Remove Selected Users.

 Note   You must be a site collection administrator to remove users from a site collection.

  • I removed a user from a site but he or she is still receiving alerts from it.

When you remove a user from a Web site, site group, or cross-site group after he or she has created alerts, you must manually delete any alerts that he or she has set up. This is also true for any lists or libraries where you change security settings to limit access. If a user has set up alerts for the list or library, he or she will continue to receive them after you change the security settings. For information on deleting alerts for users, see Managing Alerts.

Usage Analysis Issues

  • I see a "no data" message or a message that usage reports are not available when I try to view the Site Usage Report page

Usage analysis must be turned on, and users must have visited a page in your site before any data can appear on the Site Usage Report page. If you are seeing the error "No usage data is available for this web" on this page, verify that usage analysis has been turned on for the server.

If the site is new (created today), or has not been used before today, no data will appear until the usage log processing has been done (usually within 24 hours).

If there has been no activity on the site for the past 31 days, the Site Usage Report page will say that usage reports are not available.

For more information about enabling usage analysis, see Configuring Usage Analysis.

  • I extended a new virtual server, and the usage analysis processing is not working for the new virtual server.

If usage analysis processing was configured before you extended the virtual server, it must be enabled manually for the new virtual server. To enable usage analysis for the new virtual server, you can use either of the following methods:

  1. Use the command-line tool Stsadm.exe with the setproperty operation to set the schedule for usage analysis on the new virtual server. To set the schedule, run the following operation:
stsadm.exe -o setproperty -pn job-usage-analysis 
-pv "daily between HH:MM:SS and HH:MM:SS" -url <URL to virtual server>
  1. Use the Configure Usage Analysis page to reconfigure usage analysis for all virtual servers.

 Note   Usage analysis information is not available until the usage analysis processing has been run at least once.

  • The number of users that I'm seeing is higher than I expected.

If you have removed users from a subsite, but not from the site collection, the users will still appear in the usage data. If you are trying to remove users so that you are under your quota, you must remove users at the site collection level, not at the subsite level.

Also, server administrators are included as users in the usage analysis results, even though they are not members of a site. If they perform actions within a site or run a monitoring utility on a site collection, those activities are included in the usage analysis results. However, server administrators are not counted towards user quotas.

For more information about enabling usage analysis, see Configuring Usage Analysis.

SSL Termination Not Supported Prior to Service Pack 2

 Note   The information contained in this section applies to issues in versions of Windows SharePoint Services earlier than Windows SharePoint Services Service Pack 2 (SP2). Windows SharePoint Services SP2 includes support for advanced extranet configurations, such as SSL termination at the reverse proxy server. New command line operations can be used with the stsadm.exe command line utility to "map" incoming and outgoing URLs. For more information about these new command line operations, see Command-Line Operations and What's New in Windows SharePoint Services Service Pack 2.

My alert message URLs are wrong and I get an "Access denied" message when I try to upload a document to a document library.

Secure Sockets Layer (SSL) termination is a configuration where an HTTPS request from the client is first processed by either a proxy server or a firewall, and then the request is forwarded to a Web server by using HTTP. SSL termination is not supported for Windows SharePoint Services. If SSL termination is configured, alert messages may contain the wrong URL (HTTP rather than HTTPS), and your users may not be able to upload documents to document libraries (they receive an Access Denied message after attempting to authenticate).

This issue is also covered by article 831106 in the Microsoft Knowledge Base.

Web Part Errors on the Home Page

I get one of the following errors when I view the home page of my site:

  • Web Part Error: Cannot deserialize (convert an XML stream back into an object) the Web Part on the server.
  • Web Part Error: One of the properties of the Web Part has an incorrect format. Windows SharePoint Services cannot deserialize the Web Part. Check the format of the properties and try again.

These errors can be caused when permissions that Windows SharePoint Services configured on the Windows Temp directory were unintentionally reset (perhaps during an upgrade to the operating system). To resolve this issue, make sure that the following permissions are configured correctly.

Windows directory Required permissions
%WinDir%\Temp

Administrators - Full control

SYSTEM - Full control

STS_WPG - Read, Write

Network Service (for a domain controller only) - Read, Write

%WinDir%\System32\Logfiles

STS Administrators - Full Control

SYSTEM - Full control

STS_WPG - Read, Write

Network Service (for a domain controller only) - Read, Write

 Note   If your usage analysis log files are stored in a different location, you must also be sure that the permissions for those log files match the permissions for the Logfiles directory above.

For more information about the permissions needed for Windows SharePoint Services to perform as expected, see Files and Permissions. This issue is also covered by article 826786 in the Microsoft Knowledge Base.

Assigned IP Addresses Not Supported Prior to Service Pack 2

The information contained in this section applies to pre-Service Pack 2 issues. Windows SharePoint Services Service Pack 2 removes this limitation of assigning IP addresses by allowing virtual servers extended with Windows SharePoint Services to be IP-bound (have static IP addresses). Prior to Service Pack 2, Windows SharePoint Services required that IIS virtual servers be configured with the All Unassigned option on the Web Site properties in Internet Information Server (IIS) Manager before the virtual server could be extended with Windows SharePoint Services.

 Note   Windows SharePoint Services does not support assigning a static IP address to a virtual server in scalable hosting mode.

For additional information, see Microsoft Knowledge Base article 832816: The server instance specified was not found.

When I try to modify my site or add or export Web parts I get one of the following error messages:

  • Cannot retrieve properties at this time.
  • The server could not complete your request. Contact your Internet service provider or Web server administrator to make sure that the server has the FrontPage Server Extensions or SharePoint Services installed.

This problem may occur when one or both of the following conditions are true:

  • You have configured the virtual server in IIS to have an assigned IP address, and then extended the virtual server with Windows SharePoint Services.
  • You have configured the virtual server in IIS to use host headers, and then extended the virtual server with Windows SharePoint Services, and then you installed a Web Part assembly to the Bin folder instead of to the global assembly cache.

In each of these configurations, Windows SharePoint Services cannot obtain sufficient information from the virtual server to load the Web Part or Web Parts on the site. To address these issues, use one of the following methods, as appropriate to your situation:

  1. Assigned IP addresses are not supported. If you have assigned an IP address in IIS, you must change the IP address to use All Unassigned before you can use Windows SharePoint Services. For more information about changing the IP address in IIS, see the IIS Help system.
  2. If you host a virtual server that has a host header name and you installed a Web Part assemblies to the Bin folder, you must move the assembly to the global assembly cache. For more information, see the SharePoint Products and Technologies Software Development Kit.
  3. Consider using scalable hosting mode for Windows SharePoint Services. For more information, see Server Farm Scalable Hosting Mode Deployment.

This issue is also covered by article 830342 in the Microsoft Knowledge Base.

SharePoint Configuration Analyzer

Windows SharePoint Services Service Pack 2 (SP2) allows virtual servers extended with Windows SharePoint Services to be bound to a static IP address. When SharePoint Configuration Analyzer is run after applying Windows SharePoint Services SP2 and an IP-bound virtual server is configured you will receive the following error message in the IIS Settings section:

  • "A virtual server is bound to a static IP address. This is not supported in Windows SharePoint Services."

This error can be ignored if Service Pack 2 has been installed and an IP-bound virtual server has been configured in IIS. This issue may be resolved in future versions of SharePoint Configuration Analyzer.

Authentication and Access Control Diagnostics 1.0 (Authdiag)

Authentication and Access Control Diagnostics 1.0 (more commonly known as AuthDiag) is a robust diagnostic tool from Microsoft. This tool helps find the source of authentication and authorization failures. Authdiag analyzes metabase configuration and system-wide policies and warns administrators of possible points of failure and provide guidance with resolving the problem.

AuthDiag 1.0 also includes a robust monitoring tool, called AuthMon, designed to capture a snapshot of the problem while it occurs in real-time. AuthMon is especially helpful in removing any information not pertinent to the authentication or authorization process from IIS servers.

You can find additional information about and download this tool from the Microsoft Download Center.

Configuring Kerberos Authentication

New to Windows SharePoint Services Service Pack 2 (SP2), you can choose to use either NTLM or Kerberos authentication.

 Note   For more information, see the Microsoft Knowledge Base article 832769: How to configure a Windows SharePoint Services virtual server to use Kerberos authentication.

Enabling Kerberos in IIS

 Note   Windows SharePoint Services, prior to Service Pack 2, enabled NTLM authentication by default when Windows SharePoint Services was installed by using the Typical Installation option. Windows SharePoint Services SP2 uses Kerberos by default, but enables you to choose either NTLM or Kerberos authentication when you create the SharePoint Central Administration virtual server and extend content virtual servers.

You can use either of the following two methods to enable Kerberos in IIS:

  • Manually edit the IIS metabase.

If you are enabling Kerberos for only one virtual server, you can directly edit the IIS metabase.

  • Use IIS administration scripts to edit the IIS metabase.

If you need to enable Kerberos authentication for several virtual server, consider using a script that you can run for each virtual server.

Method 1: Manually edit the IIS metabase to enable Kerberos authentication
  1. On the server running IIS, open Notepad, and then open the Metabase.xml file that is located in the following folder on the hard disk, where %systemroot% is the path and folder name where Microsoft Windows is installed:

%systemroot%\System32\Inetsrv

  1. In the <IIsWebServer> section, locate the following line:

NTAuthenticationProviders="NTLM"

  1. Modify the line so that it reads exactly as follows:

NTAuthenticationProviders="Negotiate,NTLM"

  1. Save the file, and then quit Notepad.
  2. Open a command prompt, and then restart IIS by typing iisreset.
Method 2: Use an IIS administration script to edit the IIS metabase and enable Kerberos authentication
  1. On the server running IIS, open a command prompt.
  2. Change to the Inetpub\Adminscripts folder, and then type the following line, where Drive is the hard disk drive where Windows is installed, and then press ENTER:

cd Drive:\inetpub\adminscripts

  1. Type the following line, where xx is the virtual server ID number, and then press ENTER.

cscript adsutil.vsb get w3svc/xx/NTAuthenticationProviders

 Note   The virtual server ID of the default Web site in IIS is 1.

The following string is returned:

ntauthenticationproviders: (STRING) "NTLM"

  1. To enable Kerberos on the virtual server, type the following line, where xx is the virtual server ID number, and then press ENTER.

cscript adsutil.vsb get w3svc/xx/NTAuthenticationProviders "Negotiate,NTLM"

  1. Type iisreset and then press ENTER to restart IIS.

Configuring Server and Account Delegation and Configuring a Service Principal Name for the Domain Account

After you have enabled Kerberos in IIS, you must configure a service principal name for the domain account that the virtual server is running under.

 Note   You do not need to perform these steps if the virtual server application pool identity is using one of the built-in security principals (such as Network Service or Local System). The built-in accounts are automatically configured to work with Kerberos authentication.

If you use a remote computer running SQL Server 2000 or SQL Server 2005 for your configuration and content databases, and you want to use the built-in Network Service account as a domain account, you must add the domain\computername$ entry to SQL Server and grant it Database Creators and Security Administrators permissions. This allows Windows SharePoint Services to connect to the remote computer running SQL Server and create and manage the configuration and content databases. For more information about granting permissions in SQL Server, see Remote SQL Server Deployment.

If the server running IIS is a member of the domain, but is not a domain controller, the server must be trusted for delegation before Kerberos authentication can work correctly.

Configure the server running IIS to be trusted for delegation
  1. On the domain controller, start Active Directory Users and Computers.
  2. In the left pane, click Computers.
  3. In the right pane, right-click the name of the server running IIS, and then click Properties.
  4. Click the General tab, and then select the Trust computer for delegation check box.
  5. Click OK.

If the application pool identity is configured to use a domain user account, the user account must be trusted for delegation. before you can use Kerberos authentication.

Configure the domain account to be trusted for delegation
  1. In Active Directory Users and Computers, in the left pane, click Users.
  2. In the right pane, right-click the name of the user account, and then click Properties.
  3. Click the Account tab, and then under Account Options, select the Account is trusted for delegation check box.
  4. Click OK.

If the application pool identity is a domain user account, you must configure a service profile name (SPN) for that account.

Configure a service profile name for the domain account
  1. Download and install the Setspn.exe command line utility from the Microsoft Web site.
  2. Open a command prompt, and then run the following command:

Setspn -A HTTP/ServerNameDomain\username

Where ServerName is the fully-qualified domain name of the server, domain is the name of the domain, and username is the name of the user account.

 
 
Applies to:
Deployment Center 2003