Accessing CA Search Admin with SPN set for Index Server
Side effect of setting up an SPN for the index server is that your search administration page(s) for central administration will be broken. This happens as accessing farm level search administration pages via the Central Administration UI results in request being sent to the root SearchAdmin.asmx. As this web site now accepts only Kerberos tokens, the client will be asked to authenticate themselves using Kerberos protocol. Ensuing request for Kerberos ticket to KDC will be a response packet with a service ticket encrypted with SSP domain account's password. Since the root web site is running under Network service account, it will be unsuccessful in decrypting the packet, resulting in access denial to the root web service (Refer to Enterprise Search and Kerberos Protocol for more details). More specifically accessing the following pages will result in a failure as shown below:
Central Administration -> Operations -> Services on Server -> Office SharePoint Server Search Service Settings
Central Administration -> Application Management -> Search Service
In case you wanted to reconfigure your Farm's Search settings and/or wanted to use the above pages for other administrative tasks, follow the steps below on the Index server to work around the problem:
- Stop Windows SharePoint Services Timer service (windows service) on Index server
- Change the application pool identity of the root web site Office Server Web Services, which is typically OfficeServerApplicationPool, to run under the SSP's domain account domain\sspacct
- Set your farm settings by navigating to the Farm's Search settings pages listed above
In order to revert steps (1) and (2) above, start the Windows SharePoint Services Timer service on the Index server.