SDK service using domain user trying to set SPN for computer account

I have a SDK service running under a domain user account, but it tries to register the SPN for the computer account of the machine?!

Therefore I get the following alert: 

The System Center Data Access service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/WIN-9IAJC0HS9RJ and MSOMSdkSvc/WIN-9IAJC0HS9RJ.domainxx.local to the servicePrincipalName of CN=WIN-9IAJC0HS9RJ,CN=Computers,DC=domainxx,DC=local

Which makes sense because it has not the permissions to do that.

When I make the domain user account member of domain admins it has the concerning permissions and it indeed registers that SPN to the computer account. But why?? The SPN should be registered to the domain user account instead (and therefore I had given the domain user account the read/write permissions to itself to do that).

I have the following SPN registered now for the computer and domain user account:

setspn -l WIN-9IAJC0HS9RJ
Registered ServicePrincipalNames for CN=WIN-9IAJC0HS9RJ,CN=Computers,DC=domainxx
DC=local:
        MSOMSdkSvc/WIN-9IAJC0HS9RJ
        MSOMSdkSvc/WIN-9IAJC0HS9RJ.domainxx.local
        MSOMHSvc/WIN-9IAJC0HS9RJ
        MSOMHSvc/WIN-9IAJC0HS9RJ.domainxx.local
        TERMSRV/WIN-9IAJC0HS9RJ
        TERMSRV/WIN-9IAJC0HS9RJ.domainxx.local
        WSMAN/WIN-9IAJC0HS9RJ
        WSMAN/WIN-9IAJC0HS9RJ.domainxx.local
        RestrictedKrbHost/WIN-9IAJC0HS9RJ
        HOST/WIN-9IAJC0HS9RJ
        RestrictedKrbHost/WIN-9IAJC0HS9RJ.domainxx.local
        HOST/WIN-9IAJC0HS9RJ.domainxx.local

setspn -l domainxx\omdas
Registered ServicePrincipalNames for CN=OMDAS,CN=Users,DC=domainxx,DC=local:

none for this account

I don't get it. Anyone?

I am using SCOM 2012 R2

Pls help.

Thanx in advance.

Regards
Chris





February 27th, 2014 3:21pm

Hi Chris,

that's an old-old bug. Just ignore it... or open a CSS case. 

Free Windows Admin Tool Kit Click here and download it now
February 28th, 2014 6:36am

You can refer below link, it's most helpful

http://blogs.technet.com/b/kevinholman/archive/2011/08/08/opsmgr-2012-what-should-the-spn-s-look-like.aspx

March 2nd, 2014 12:56pm

Hi

In order to Register SPNs, open the Security tab of the SDK User Account, go to Advanced, then add SELF to it and then select Allow for Read servicePrincipalName and Write servicePrincipalName".

This way the account should be able to register and Read the SPN's without domain admin permission. I did not test it but should work :)

Cheers,

Stefan

Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2014 2:07am

Hi Chris,

that's an old-old bug. Just ignore it... or open a CSS case.

March 3rd, 2014 11:30pm

Hi

In order to Register SPNs, open the Security tab of the SDK User Account, go to Advanced, then add SELF to it and then select Allow for Read servicePrincipalName and Write servicePrincipalName".

This way the account should be able to register and Read the SPN's without domain admin permission. I did not test it but should work :)

Cheers,

Stefan

Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2014 11:31pm

>Any idea which particular CU solves this bug?

None. :( I have a fully patched 2012 R2 and the bug is still h

March 4th, 2014 6:59am

>Any idea which particular CU solves this bug?

None. :( I have a fully patched 2012 R2 and the bug is still here...

Free Windows Admin Tool Kit Click here and download it now
March 4th, 2014 1:52pm

>I guess Kerberos authentication will work just fine then?

Never seen any functional issues with that. From what I see for the last years it's just an annoying alert appearing after each reboot\service restart...

>Ok, but has it been addressed already?
I do not know. I am pretty sure it were reported at leas a few times.

March 5th, 2014 4:11am

SCOM SDK service really tries to set its SPN to the computer account (although the SDK service is running using a domain user account). The alert is no bug!

I know this for sure because I gave the SDK service permission to do it - by making the domain user account member of the domain admins security group - and it indeed sets the SPN on the computer account.

The latter is the actual bug I would say! It should try to set the SPN for the domain user account the sdk service is running with.

Then again, nog having the SPN been set correctly to this domain user account, does not seem to bother SCOM at all indeed. Perhaps it uses NTLM instead in this scenario.

Can anyone comfirm?


Free Windows Admin Tool Kit Click here and download it now
March 5th, 2014 5:59pm

SCOM SDK service really tries to set its SPN to the computer account (although the SDK service is running using a domain user account). The alert is no bug!

I know this for sure because I gave the SDK service permission to do it - by making the domain user account member of the domain admins security group - and it indeed sets the SPN on the computer account.

The latter is the actual bug I would say! It should try to set the SPN for the domain user account the sdk service is running with.

Then again, nog having the SPN been set correctly to this domain user account, does not seem to bother SCOM at all indeed. Perhaps it uses NTLM instead in this scenario.

Can anyone comfirm?


March 6th, 2014 1:58am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics