I am running IIS and SQL Reporting Server on the same server. IIS runs as d\acct1 and SSRS is running as d\acct2.
Initially, I registered an SPN HTTP/server.d.com for both d\acct1 and d\acct2 and configured both for unconstrained kerberos delegation in Active Directory.
This configuration broke kerberos because there were duplicate SPNs for HTTP/server.d.com.
If I delete the SPN for SSRS, IIS works. If I delete the SPN for IIS, SSRS works.
Is there a way to share an SPN between two different service accounts that run on the same server such that they do not create a duplicate SPN?
Or, must I create two A records in active directory for iis.server.d.com and reports.server.d.com and use host headers to keep the two aliases straight inside each respective service?
Best Answer
Research into how Kerberos delegation works shows that no, you cannot share SPNs between service accounts on the same box.
I solved the problem by provisioning a second IP address for my server and mapping IIS to one IP address and SSRS to the other.
I then created two new A records in DNS (don't use C records, they are unreliable with Kerberos delegation) to point to the services.
iis.server.d.compoints to the IIS IP address andssrs.server.d.compoints to the SSRS IP.Lastly, I deleted all the SPNs for both
d\acct1andd\acct2and reassigned the SPNs asHTTP/iis.server.d.comandHTTP/ssrs.server.d.comrespectively.Additionally, I find that editing SPNs using ADSIEdit far easier than using the
setspncommand line.