This post is more about the confusion that may arise around SPNs for setting up Kerberos authentication in IIS 7.0. IIS 7.0 has a new Kernel-mode authentication feature using which the ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose by default and in turn improves the performance.
The are good post SharePoint Farm using Kerberos on IIS7 related to this configuration.
In Windows Server 2008, kernel mode authentication runs under the machine account, but Office Communications Server 2007 R2 runs under a user account. As a result, Kerberos service ticket decryption fails if kernel mode authentication is enabled. If you install and activate Office Communications Server 2007 R2 on a computer running the Windows Server 2008 operating system, Setup disables kernel mode authentication in IIS to support Kerberos.
This step-by-step article describes how to configure Microsoft Internet Information Services (IIS) to support both the Kerberos protocol and the NTLM protocol for network authentication.
UPDATED on: Nov 29, 2010
If the default Shared Services in the newly installed deployment is not deleted,
the restore job will hang when trying to restore the Shared Search Index at the following step:
Progress: [Shared Search Index] 90 percent complete.
MOSS 2007 (front-ends are Windows 2008) farm recovery is stuck on Progress: [Shared Search Index] 90 percent complete in the log. Does anybody know what is going on?
There are error in the event log:
Event Id: 6398
The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID d205f8ab-66fd-42c4-ab9e-22ef306c4c3f) threw an exception. More information is included below. Access is denied.
Event Id: 7076
An exception occurred while executing the Application Server Administration job. Message: Access is denied. Techinal Support Details:System.Runtime.InteropServices.COMException (0x80070005): Access is denied. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_IsContainer() at System.DirectoryServices.DirectoryEntries.CheckIsContainer() at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName) at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name) at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name) at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime) at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime) at Microsoft.Office.Server.Administration.SharedWebServiceInstance.CreateSharedWebServiceApplicationPool(SharedResourceProvider srp) at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)
- Go to Central Administration – > System Settings and Click Manage Service on Server
- Ensure that Manage metadata Web Service is Started