Your syntax looks backward....you have the hostname in front of the SPN
-A = add arbitrary SPN
Usage: setspn -A SPN computername
setspn -A http/daserver daserver1
It will register SPN "http/daserver" for computer "daserver1"
________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Tuesday, February 21, 2006 1:26 PM
To: [email protected]
Subject: Re: [ActiveDir] SPN issue
Thank you for the advice.
I will in the future.
This is the output from setspn /A
C:\Program Files\Resource Kit>setspn -A OP5080570765 host/OP5080570765
Unable to locate account host/OP5080570765
C:\Program Files\Resource Kit>setspn -A OP5080570765 host/OP5080570765.corp.opro
ot.opco.com
Unable to locate account host/OP5080570765.corp.oproot.opco.com
The weird thing is, these accounts were migrated months ago and had no issue
till today.
There was no change made to AD by hand or by app.
Thanks
On 2/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Try the /A option.
btw, try munging your resource/domain names when you post to a forum
such as
this.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> on behalf of Tom Kern
Sent: Tue 2/21/2006 1:01 PM
To: [email protected]
Subject: Re: [ActiveDir] SPN issue
I get this, when I use netbios name-
C:\Program Files\Resource Kit>setspn -R OP5080570765
Failed to crack name CORP\OP5080570765 into the FQDN, (0) 1 0x2
I get this when i use FQDN-
C:\Program Files\Resource Kit>setspn -R
OP5080570765.corp.oproot.opco.com
Could not find account OP5080570765.corp.oproot.opco.com
The name is in DNS and AD.
As i said, DNS is functioning properly.
Thanks
On 2/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
Try manually resetting or adding the SPN for one of the
computers and
see if
that takes care of your problem. If it does, the I'd do the same
for
the rest
or just disjoin and rejoin them to the domain if there are not
too
many of
them.
you can use setspn to do this. Like so:
setspn /R the_computer_NetBIOS_Name
OR
setspn /A host/NetBIOS_Name the_computer_NetBIOS_Name
setspn /A host/FQDN_NAme the_computer_FQDN
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT
Microsoft MVP - Directory Services
www.readymaids.com < http://www.readymaids.com
<http://www.readymaids.com> > - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried
about
Yesterday? -anon
________________________________
From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Tue 2/21/2006 11:52 AM
To: activedirectory
Subject: Re: [ActiveDir] SPN issue
Ok, I came up with some more stuff-
If i use the FQDN, I can map a drive without the login error.
I ran Ethereal will mapping a drive, both ways. With the flat
name
and fqdn.
When mapping with the flat name, I see a
"KRB5KDC_ERR_PREAUTH_FAILED(24)"
Then later, I see, "KRB5KRB_AP_ERR_MODIFIED,Error:
STATUS_MORE_PROCESSING_REQUIRED(0x0000016)"
When I use FQDN, I see-
"KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN(7)" and then it defaults to
NTLM and
lets me
in.
With a flat name, it never gets to NTLM.
I've checked the "Troubleshooting Kerberos Errors" MS whitepaper
but
I can't
find anything to help me there.
The SPN in AD of my box and the server I'm connecting to seems
find.
Both client and server are in the same Domain.
DNS is functioning.
Time is in sync.
Anyplace else I should be looking?
Thanks a lot.
On 2/21/06, Tom Kern < [EMAIL PROTECTED] <mailto:[EMAIL
PROTECTED]> >
wrote:
I'm at the end of a win2k native to win2k3 win2k3FFL/DFL
migration
using Quest Migration Manager.
I've noticed we've had many login issues where users can
map
drives
via ip but not hostname(dns is working and you can ping by name).
Also, when connecting via a drive mapping, the error
recieved
is
"Login failure: The target name is incorrect".
Now I know when mapping via ip, you are using NTLM as
opposed
to
Kerberos when you use a hostname.
So I thought it was a duplicate SPN issue due to the
migration.
When I fire up LDP.exe and search for SPN, I see the pc in
question
has an SPN of the value "host\pc.Old.Domain.Name".
There is no SPN for the pc to reflect the new Forest it
has
been
migrated to.
This is sporadic and doesn't affect all migrated pc's.
Another symptom is users not getting their home drive
mappings(via
ADUC).
The homedir server logs this error in the Security log-
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 2/21/2006
Time: 11:16:05 AM
User: NT AUTHORITY\SYSTEM
Computer: OPNJR01
Description:
Logon Failure:
Reason: An unexpected error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
I have two questions-
1. Could the issues I'm having be a symptom of this SPN
"problem"?
2. Has anyone faced a simillar issue when migrating
either via
Quest
ot ADMT,etc?
Thanks a lot.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
<http://www.activedir.org/ListFAQ.aspx>
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
