Try manually resetting or adding the SPN for one of the computers and see if that takes care of your problem. If it does, the I'd do the same for the rest or just disjoin and rejoin them to the domain if there are not too many of them. you can use setspn to do this. Like so: setspn /R the_computer_NetBIOS_Name OR setspn /A host/NetBIOS_Name the_computer_NetBIOS_Name setspn /A host/FQDN_NAme the_computer_FQDN Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com> - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 2/21/2006 11:52 AM To: activedirectory Subject: Re: [ActiveDir] SPN issue Ok, I came up with some more stuff- If i use the FQDN, I can map a drive without the login error. I ran Ethereal will mapping a drive, both ways. With the flat name and fqdn. When mapping with the flat name, I see a "KRB5KDC_ERR_PREAUTH_FAILED(24)" Then later, I see, "KRB5KRB_AP_ERR_MODIFIED,Error: STATUS_MORE_PROCESSING_REQUIRED(0x0000016)" When I use FQDN, I see- "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN(7)" and then it defaults to NTLM and lets me in. With a flat name, it never gets to NTLM. I've checked the "Troubleshooting Kerberos Errors" MS whitepaper but I can't find anything to help me there. The SPN in AD of my box and the server I'm connecting to seems find. Both client and server are in the same Domain. DNS is functioning. Time is in sync. Anyplace else I should be looking? Thanks a lot. On 2/21/06, Tom Kern <[EMAIL PROTECTED]> wrote: I'm at the end of a win2k native to win2k3 win2k3FFL/DFL migration using Quest Migration Manager. I've noticed we've had many login issues where users can map drives via ip but not hostname(dns is working and you can ping by name). Also, when connecting via a drive mapping, the error recieved is "Login failure: The target name is incorrect". Now I know when mapping via ip, you are using NTLM as opposed to Kerberos when you use a hostname. So I thought it was a duplicate SPN issue due to the migration. When I fire up LDP.exe and search for SPN, I see the pc in question has an SPN of the value "host\pc.Old.Domain.Name". There is no SPN for the pc to reflect the new Forest it has been migrated to. This is sporadic and doesn't affect all migrated pc's. Another symptom is users not getting their home drive mappings(via ADUC). The homedir server logs this error in the Security log- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 537 Date: 2/21/2006 Time: 11:16:05 AM User: NT AUTHORITY\SYSTEM Computer: OPNJR01 Description: Logon Failure: Reason: An unexpected error occurred during logon User Name: Domain: Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: - I have two questions- 1. Could the issues I'm having be a symptom of this SPN "problem"? 2. Has anyone faced a simillar issue when migrating either via Quest ot ADMT,etc? Thanks a lot. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
