Using RSWindowsNegotiate will result in a Kerberos authentication error if you configured the Report Server service to run under a domain user account and you did not register a Service Principal Name (SPN) for the account.

which actaully appears in your system event log as;

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server $NAME. The target name used was HTTP/$NAME. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using.

Right so to see the state of play, jump on a server with the DC roles and run;

ldifde -d “dc=$yourdomainhere” -r “servicePrincipalName=http*” -p subtree -l “dn,servicePrincipalName” -f output.txt

The contents of your output.txt should look something like this depending on your environment;

dn: CN=Administrator,CN=Users,DC=$domain
changetype: add
servicePrincipalName: http/$hostname
servicePrincipalName: HTTP/$hostname.local
servicePrincipalName: MSSQLSvc/$hostname

okay so to avoid the event id 4 error you need to ensure that the SPN is set correctly (ie matches the DC) on the host with the error. To check what the SPN is for the service account run setspn -l domain\account this will tell you what SPN’s are setup for that account, you can also do setspn -l hostname to see whats registered for the host.

Typically you will have to add a SPN to make the error go away so run setspn -a http/$name domain\account where $name is the target as it appears in the error message and account being the service account you are using.