Not able to see the tree view - 401 error

Wednesday, 07 December 2005 13:26

View Comments
SUMMARY
When an user tries to modify or change a view by selecting "Modify Shared Web Part" from a client machine (not directly from the SharePoint server) you get this error message "Failed to connect to the Panorama E-BI Server. The remote server returned an error (401) Unauthorized".

error-02


Or if you have added "Novaview Books and Views" web part to a site and it does not display the Tree View, it shows the same error message:

error01-80p
CAUSE
This might happen because the configuration for Kerberos Delegation is not setup properly between Novaview and SharePoint Servers.
SOLUTION

If you have not previously configured kerberos authentication please review this KB Article

http://kb.panorama.com/index.php?option=com_content&task=view&id=119&Itemid=54

If you have done the Kerberos configuration, Microsoft proposes a trouble shooting guide (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx), we suggest this check list: 

  1. Verify Kerberos Authentication is enable on SharePoint Server
  2. Verify Kerberos Authentication is enable on Novaview Server
  3. verify SharePoint Server is Thrusted computer for delegation
  4. Verify Novaview Server is Thrusted computer for delegation
  5. Verify Service Account Running Novaview and SharePoint is Thrusted for delegation
  6. Verify Service Principal Names (SPNs) is configured for SharePoint Server
  7. Verify Service Principal Names (SPNs) is configured for Novaview Server

1. Verify Kerberos Authentication on SharePoint Server

In order to verify if Kerberos Authentication is configured in SharePoint Server

-Open the command line, cmd

-Change to the Inetpub\Adminscripts folder.

    cd C:\inetpub\adminscripts
    Note In this command, Drive is the drive where Windows is installed.

-Type the following command, and then press ENTER:

    cscript adsutil.vbs get w3svc/##/root/NTAuthenticationProviders

Note In this command, ## is the virtual server ID number. The virtual server ID number of the Default Web site in IIS is 1.

As a result: you should get "Negotiate,NTLM"

verify-kerb-auth-iis


If the results is "NTLM" or "the parameter "NTAuthenticationProviders" is not set at this node" that means kerberos authentication is not configured.
To configure Kerberos Authentication Please refer to this KB Article: How To: Run NovaView Web Parts Without SSO

2. Verify if Kerberos Authentication on Novaview Server.

Do the same as in Step 1 for Novaview Server, remember that you should get "Negotiate,NTLM" as shown before

To configure Kerberos Authentication Please refer to this KB Article: How To: Run NovaView Web Parts Without SSO

3. Verify SharePoint Server is Trusted computer for delegation.

Novaview Server and SharePoint Server must be trusted for delegation on the Domain Controller, to verify this on the Domain Controller

Open Active Directory Users and Computers.
go to Computers, Find the computer name of the SharePoint server
Verify that has the option “Trust computer for delegation” is checked

4. Verify Novaview Server is Trusted computer for delegation.

Repeat the same process on steps 3 for Novaview Server

5. Verify the Service Account Running Novaview and SharePoint is Trusted for delegation.

Verify that Account that is running Novaview Server and SharePoint Services has the option “Account is trusted for delegation” set to Enabled:
Open Active Directory Users and Computers.
go to Users, Find the computer user name that is running SharePoint service
Verify that has the option “Account is trusted for delegation” is checked
This is assuming that the same account is running Novaview Services and also SharePoint

6. Service Principal Names (SPNs) is configured for SharePoint Server

To verify if Service Principal Names is set up use Setspn.exe utility, on the command line run this command

Open the command line
Run this command

    Setpspn.exe -l panoramasupport\TestAdmin    

  
Where Panoramasupport\TestAdmin is the account running SharePoint Services

As a result you should get a list with the SPNs configured for that account,  Where http/SHAREPOINT2003 is the server running SharePoint Services:

Make sure you have SPN with the FQN

verify-spn-list

Note to get setspn.exe utility:

For windows 2000 go to http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/setspn-o.asp
For Windows 2003 Server go to http://support.microsoft.com/kb/892777/   

7. Verify Service Principal Names (SPNs) is configured for Novaview Server

Repeat the same on Step 6 for the Novaview Server, if the service account is the same for both services (Novaview and SharePoint) you should get the result on the same list:


verify-both

8. Verify the Default Application pool identity for SharePoint Server

Open IIS Administration and under application pools, select the default application pool, (for SharePoint Server), right click properties->Identity Tab, and change from Predefined to configurable with an User Id that has administrative rights, and restart the Application pool

 

identity-01

 

identity-02

d


VERSION
  • v5.0 v6.0
  • SharePoint Server 2003
Tags:

Related Articles

Next >
 
Free business joomla templates