SSRS SSL Kerberos issue: 401 Unauthorized

Version 1

    Details

    Error raised when trying to configure SSRS and HEAT in a SSL environment based on Kerberos authentication.

    Following infrastructure is used:


    DB/SSRS Server (Cert on alias: itsm-db.domain.com)

    App Server (Cert on alias: itsm.domain.com)

    It is not possible to connect to the SSRS over HEAT. In admin console when opening Reports, the following error is raised: 401 Unauthorized.


     


    Resolution

    Having just Kerberos authentication enabled:

    SSRS:
    Edit SSRS config file and add <RSWindowsNegotiate/>  or the other value about only Kerberos
    Create SPNs for http (FQDN and if used ALIAS). The user specified should be the user which is used in the Application Pool HeatAppServerAppPool

    SQL Server:
    Create SPNs for MSSQLMSSQLSvc with the FQDN (or ALIAS)

    Active Directory:
    ServiceUser must have the “trust this user for delegation to any service (Kerberos only)” activated or the even higher restricted version on the bottom of this value.