Re: service principal name for the VMRC server could not be regist

From: Nils M. Lunde (nilsml_at_options.no.nospam)
Date: 01/26/05 

Date: Wed, 26 Jan 2005 12:24:24 +0100

Thank you for this thorough answer!
I've tried what you suggested, but my problem is that setspn-program doesn't
find the NetworkService account.
Should I create a new account and run the VirtualServer service using this?

Another question: Do I have to run setspn.exe each time I restart the
server, or will it be persistant?

Cheers,
Nils Magne Lunde

"Benny Hauk" <BennyHauk@discussions.microsoft.com> wrote in message
news:F34A60B7-D45F-4E02-B6E3-62823E088C34@microsoft.com...
>I think I can offer a solution for this one. I have run into the exact
>same
> problem trying to get Kerberos delegated authetication to work in SQL
> Server
> when the service is running as a specified domain user account instead of
> System.
>
> First off you will need the setspn.exe utility. I found it on the Windows
> 2000 Resource Kit CD, but it may be found other places as well (may be
> online, not sure). Once you have it, run this command:
>
> setspn.exe -L [DOMAINNAME]\[USERACCOUNT]
>
> where [USERACCOUNT is the account you want to run the service as. In your
> case, since DCOM uses the default "HOST" service, you should be looking
> for a
> line that looks like:
>
> HOST/[DNSHOSTNAME]
>
> My guess is that you will find that the line doesn't exist. Simply type
> this command:
>
> setspn.exe -A HOST/[DNSHOSTNAME] [DOMAINNAME]\[USERACCOUNT]
>
> EXAMPLE (if you worked for ebay, perhaps):
> setspn.exe -A HOST/virtserver01.ebay.com ebay\Administrator
>
> And verify that the entry shows up now by running this again:
>
> setspn.exe -L [DOMAINNAME]\[USERACCOUNT]
>
> Now try running the service with that user account and see if it works.
> It's slowly becoming clearer to me why SPNs are needed and what role they
> play in Kerberos authentication. However, I don't think I have a strong
> enough grasp of it to clearly explain it to anyone.
>
> Here's how MS explains it when it's SQLServer being used and not DCOM:
> http://msdn.microsoft.com/library/en-us/adminsql/ad_security_2gmm.asp
>
> I've cross-referenced a couple other microsoft newsgroups in hopes for
> verification/further explaination (this falls more into Kerberos
> authentication than Server virtualization). The only thing I'm unsure of
> is
> whether you need to include a port number when running the "setspn -A"
> command above (something like: setspn.exe -A
> HOST/virtserver01.ebay.com:[DCOM_TCPPORT] ebay\Administrator). My guess
> is
> that you don't.
>
> Can anyone from microsoft offer any additional advice?
> Benny Hauk, Systems Engineer
>
> "Nils M. Lunde" wrote:
>
>> Ok, this is what I've found out:
>> The reason why we are getting this message is because the user that the
>> VirtualServer service runs as, doesn't have the credentials needed to
>> create
>> 4 different server principle names.
>>
>> I tried to run the VirtualServer service using the System account, and it
>> was working like a charm.
>>
>> So, we need to find out why the user, in most cases the Network Service
>> user, does not have the credentials needed to create the spn's. Per
>> default
>> in Windows 2003 Server this user is supposed to be able to do this.
>>
>> Anyone??
>>
>> -Nils Magne
>>
>> "Nils M. Lunde" <nilsml@options.no.nospam> wrote in message
>> news:epZbufM%23EHA.3472@TK2MSFTNGP14.phx.gbl...
>> > Have you been able to solve this?
>> > I have the same issue on my Windows Server 2003.
>> > It was working fine, and then all of a sudden I started getting this
>> > message.
>> > I am still able to us the Virtual Server, but it takes forever to start
>> > the service.
>> >
>> > -Nils Magne
>> >
>> > "WintelRob" <WintelRob@discussions.microsoft.com> wrote in message
>> > news:96C99C88-DCAB-456D-B1F8-9785A2BCF67D@microsoft.com...
>> >> Sorry for the long message, but I wanted to provide the neccessary
>> >> details.
>> >>
>> >> I'm sure this has been addressed in the past, but I could find nothing
>> >> anywhere, except for one BLOG on the Internet.
>> >>
>> >> I have been getting errors with Virtual Server since the trial expired
>> >> and I
>> >> re-installed a purchased copy.
>> >>
>> >> I have nothing in the "Deny" list in the "Virtual Server" DCOM+
>> >> object,
>> >> and
>> >> this software was working on my system. The trial expired. I've
>> >> installed
>> >> a
>> >> purchased copy, but same error no matter what.
>> >>
>> >> Tried changing the "Virtial Server", as well as the "VMRC components".
>> >> Also,
>> >> tried adding SERVICE.
>> >>
>> >> The service that the Virtual Server runs under in via "NT Authority"
>> >> and
>> >> the
>> >> account name is not available to add within apps or the DCOM+
>> >> components.
>> >>
>> >> Here's the Event Log error message:
>> >>
>> >> "The service principal name for the VMRC server could not be
>> >> registered.
>> >> Automatic authentication will always use NTLM authentication. Error
>> >> 0x8007200b - The attribute syntax specified to the directory service
>> >> is
>> >> invalid."
>> >>
>> >>
>> >> The event ID 1029 doesn't exist anywhere.
>> >>
>> >> The user is "NT AUTHORITY\NETWORK SERVICE" which you can't add to
>> >> anything.
>> >>
>> >> The service is running, but it isn't working, and it cannot be
>> >> administered.
>> >>
>> >> I am running Windows XP SP2 with the latest available patches and
>> >> updates.
>> >>
>> >> When I originally installed Virtual Server on XP with SP1, it was
>> >> great.
>> >> Then, installing SP2 broke it. I fixed the DCOM+ component, and then
>> >> it
>> >> worked again. For 180 days or so.
>> >>
>> >> I rebooted, and something I did made the system workable now, though
>> >> I'm
>> >> not
>> >> sure if it was addition of "SYSTEM" to the DCOM+ object, or what. So,
>> >> could
>> >> someone tell what the *appropriate* settings are for the Virtual
>> >> Server
>> >> DCOM+
>> >> object? I probably gave way more permissions than necessary.
>> >>
>> >> Thanks!!!
>> >>
>> >> (I'll post any helpful responses back to that BLOG, since it seems to
>> >> be
>> >> the
>> >> only page that shows up in a search for that error message.)
>> >
>> >
>>
>>
>>

Relevant Pages