SPN checklist for Kerberos authentication with IIS 7.0/7.5

This post is more about the confusion that may arise around SPNs for setting up Kerberos authentication in IIS 7.0. IIS 7.0 has a new Kernel-mode authentication feature using which the ticket for the requested service is decrypted using Machine account (Local system) of the IIS server. It no longer depends upon the application pool Identity for this purpose by default and in turn improves the performance.



IIS 7.0 Kernel Mode Authentication by default

In Windows Server 2008, kernel mode authentication runs under the machine account, but Office Communications Server 2007 R2 runs under a user account. As a result, Kerberos service ticket decryption fails if kernel mode authentication is enabled. If you install and activate Office Communications Server 2007 R2 on a computer running the Windows Server 2008 operating system, Setup disables kernel mode authentication in IIS to support Kerberos.

Source: http://technet.microsoft.com/en-us/library/dd573004(office.13).aspx

#MOSS2007 on #Windows2008, Farm Recovery, Progress: [Shared Search Index] 90 percent complete

UPDATED on: Nov 29, 2010

If the default Shared Services in the newly installed deployment is not deleted,
the restore job will hang when trying to restore the Shared Search Index at the following step:
Progress: [Shared Search Index] 90 percent complete.

MOSS 2007 (front-ends are Windows 2008) farm recovery  is stuck on Progress: [Shared Search Index] 90 percent complete in the log.  Does anybody know what is going on?

There are error in the event log:

Event Id: 6398

The Execute method of job definition Microsoft.Office.Server.Administration.ApplicationServerAdministrationServiceJob (ID d205f8ab-66fd-42c4-ab9e-22ef306c4c3f) threw an exception.
More information is included below.
Access is denied.

Event Id: 7076

An exception occurred while executing the Application Server Administration job.
Message: Access is denied.

Techinal Support Details:System.Runtime.InteropServices.COMException (0x80070005):
Access is denied.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_IsContainer()
at System.DirectoryServices.DirectoryEntries.CheckIsContainer()
at System.DirectoryServices.DirectoryEntries.Find(String name, String schemaClassName)
at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.Find(String name)
at Microsoft.SharePoint.Metabase.MetabaseObjectCollection`1.get_Item(String name)
at Microsoft.SharePoint.Administration.SPProvisioningAssistant.ProvisionIisApplicationPool(String name, ApplicationPoolIdentityType identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
at Microsoft.SharePoint.Administration.SPMetabaseManager.ProvisionIisApplicationPool(String name, Int32 identityType, String userName, SecureString password, TimeSpan idleTimeout, TimeSpan periodicRestartTime)
at Microsoft.Office.Server.Administration.SharedWebServiceInstance.CreateSharedWebServiceApplicationPool(SharedResourceProvider srp)
at Microsoft.Office.Server.Administration.ApplicationServerJob.ProvisionLocalSharedServiceInstances(Boolean isAdministrationServiceJob)