Kerberos & SPNs - Help Needed

[PseudoName]

I am trying to use integrated login via a webserver running on a different server than the TM1 application server.

web-test is an instance on server GB0000NW5124.<DOMAIN_PATH>
TM1Web is running as a website on GBW00757.<DOMAIN_PATH>

Kerberos is the security package. I have created an application pool for TM1Web, using the domain account as the Identity. This domain account is also the one that is running the windows TM1 service. What should I set the SPN to? I am getting Client Context errors. I have included the web logfile for you to look at. Also, I get the SPN error when trying to login from Excel as well.


We have tried the following as our SPN:
web-test
GBW00757<DOMAIN_PATH>
TM1Web

Any suggestions, or things we are doing wrong? The domain account has delegation rights, and is part of the IIS_WPG group on the webserver.

There are funny Javascript local errors, Is it trying to copy something somewhere? Here is a sample from the log file:

D:/Inetpub/wwwroot/TM1Web/scripts\jscriptvar_fr.js. Error:
2009-11-27 11:06:06,686 [7948] ERROR Applix.TM1.Web.Page.JScriptVar - Failed to create localized javascript file:

Applix.TM1.Web.WebControls.TM1WebApplication - <log4net.Error>Exception during StringFormat: Index (zero based) must be greater than or equal to zero and less than the size of the argument list. <format>[0] integrated login to server <{2}> failed. {3}</format><args>{67, web-test, 154: TM1APIDOTNET Exception: - Failed to create client context for integrated login.}</args></log4net.Error>
2009-11-27 16:16:51,514 [6856] INFO Applix.TM1.Web.WebControls.TM1WebApplication - <log4net.Error>Exception during StringFormat: Index (zero based) must be greater than or equal to zero and less than the size of the argument list. <format>[0] integrated login to server <{2}> failed. {3}</format><args>{68, metadata, 80: TM1APIDOTNET Exception: - System Server Client Not Found}</args></log4net.Error>


I am following Step 7 in the PDF

Step 7 – Set the Service Principal Name (SPN)
To set the SPN:
1. Download the SetSPN.exe utility from
http://www.microsoft.com/windows2000/te ... tspn-o.asp.
2. As a domain administrator, execute the following commands:
setspn -A HTTP/web_server_name domain_name\user_acct_for_TM1_services
setspn -A HTTP/webservername.domain_name
domain_name\user_acct_for_TM1_services


Please let me know if you can help me here, i'd like to get Integrated login working soon. Also, when setting SPN's if we set it as web-test, does this mean one TM1Web Application pool can only point to one instance of TM1? That is because the AppPool runs under a particular identity, and a domain account can only have ONE Service Principal Name.

Thanks very much.