How to change SCOM reporting to use Kerberos instead of NTLM

1 minute read

One of the Domain admins at one of my customers was complaining about all the NTLM request generated by the scom server to the reporting server. One of the issues with NTLM is that you need to re-authenticate every time, with Kerberos you receive a ticket that is valid for a longer period of time (by default 10hours). You can find more info about NTLM VS Kerberos here: http://blogs.technet.com/b/authentication/archive/2006/04/07/ntlm-s-time-has-passed.aspx 

 

All the SQL servers at this customer are configured to use Kerberos but apparently when the SCOM reporting is being installed and modifying the RSReportServer config file it will change the authentication method as well back to NTLM!! Although Microsoft is recommending Kerberos over NTLM for almost 10 years now, new products like SCOM 2012 are still using NTLM!!

 

To change the report server authentication settings, edit the XML elements and values in the RSReportServer.config file.

You can find the file in the following location: C:Program FilesMicrosoft SQL ServerMSRS10_50.MSSQLSERVERReporting ServicesReportServer

 

clip_image002

Change the setting from RSWindowsNTLM to RSWindowsNegotiate

clip_image004

 

Important note Important

Using RSWindowsNegotiate will result in a Kerberos authentication error if you configured the Report Server service to run under a domain user account and you did not register a Service Principal Name (SPN) for the account. Make sure to create the SPN for the SQL reporting service as described here: http://blogs.technet.com/b/stefan_stranger/archive/2012/07/31/opsmgr-2012-what-should-the-spn-s-look-like-visual-representation.aspx

 

Thanks,

Alex


Leave a comment