Application pool account must be registered as Kerberos - Event 6590 (SharePoint 2010 Products)

 

Applies to: SharePoint Server 2010, SharePoint Foundation 2010

Alert Name:   Application pool account must be registered as Kerberos

Event ID:   6590

Summary:   Microsoft SharePoint Foundation 2010 can use the authentication providers that are provided by Windows Server 2008 to authenticate users. For example, Microsoft SharePoint Foundation can use forms-based authentication or Web single sign-on.

When using the Kerberos version 5 authentication protocol, the service account that is used by the Internet Information Services (IIS) application pool for your Web application must be registered in Active Directory Domain Services (AD DS) as an SPN on the domain on which the front end Web server is a member.

Symptoms:   This event appears in the event log: Event ID: 6590 Description: The application pool account has insufficient permissions to add user accounts to Active Directory. When using Kerberos authentication, the service account used by the Internet Information Services (IIS) application pool for your Web application must be registered in Active Directory as a Service Principal Name (SPN) on the domain on which the Web front-end is a member.

Cause:   One or more of the following might be the cause:

  • If using Kerberos v5 authentication, the Web application pool account is not a registered security provider name.

  • If using either forms-based authentication or Web single sign-on, the authentication provider could not be loaded because no membership provider name was specified.

  • The Web application pool must be restarted for changes to be saved.

Note

You must be a member of the Farm Administrators SharePoint group to perform the following action.

Resolution:   Determine which authentication type the site is using

  1. On the SharePoint Central Administration Web site, on the Quick Launch click Security and in the General Security section click Specify Authentication Providers.

  2. On the Authentication Providers page, select the correct Web application. To select a Web application, click the Web Application drop-down list arrow and click Change Web Application. In the Select Web Application dialog box, click the correct Web application.

  3. On the Authentication Providers page, click the zone for the site from the list.

  4. On the Edit Authentication page, the authentication type is displayed in the IIS Authentication Settings section.

Resolution:   Register the application pool account as an SPN

  • The Web application pool account is not a registered security provider name (SPN). Contact a domain administrator and make sure that the service account that is used by the application pool is the registered SPN for all domains listed with the Web application.

Note

You must be a member of the Farm Administrators SharePoint group to perform the following tasks.

Resolution:   Specify membership provider name and a role manager

  1. On the Central Administration page, on the Quick Launch click Security and in the General Security section click Specify authentication providers.

  2. On the Authentication Providers page, select the zone for which you want to change authentication settings.

  3. On the Edit Authentication page, in the Authentication Type section select either the Forms or Web single sign-on authentication option. Windows authentication is selected by default.

  4. Click Save.

  5. In the Membership Provider Name section, type the name in the Membership provider name text box.

  6. In the Role Manager Name section, type the name in the Role manager name text box.

  7. Click Save.

Resolution:   Edit authentication settings for a zone

  1. On the Central Administration page, on the Quick Launch click Security, and in the General Security section click Specify authentication providers.

  2. On the Authentication Providers page, select the zone for which you want to change authentication settings.

  3. On the Edit Authentication page, in the Authentication Type section select the authentication option. Windows authentication is selected by default.

  4. In the IIS Authentication Settings section, select the setting. Integrated Windows authentication — NTLM is selected by default. If you select Negotiate (Kerberos) you must perform additional steps to configure authentication.

  5. Click Save.