Re: service principal name for the VMRC server could not be regist
From: Benny Hauk (BennyHauk_at_discussions.microsoft.com)
Date: 01/27/05
- Next message: Chris Hall: "Re: Security Template question"
- Previous message: Old Bob: "firewall"
- In reply to: Nils M. Lunde: "Re: service principal name for the VMRC server could not be regist"
- Next in thread: Alvaro Noreņa: "Re: service principal name for the VMRC server could not be regist"
- Reply: Alvaro Noreņa: "Re: service principal name for the VMRC server could not be regist"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 05:19:04 -0800
Good questions... I'm not sure how you would specify the NetworkService
account. I've only done this with manually created user accounts.
Changed made by using setspn aren't made locally, but rather are made in
active directory (or perhaps on the DNS server). Either way, yes the changes
persist. setspn creates/modifies/deletes "SPN" dns records if I remember
correctly.
Benny Hauk
"Nils M. Lunde" wrote:
> Thank you for this thorough answer!
> I've tried what you suggested, but my problem is that setspn-program doesn't
> find the NetworkService account.
> Should I create a new account and run the VirtualServer service using this?
>
> Another question: Do I have to run setspn.exe each time I restart the
> server, or will it be persistant?
>
> Cheers,
> Nils Magne Lunde
>
>
> "Benny Hauk" <BennyHauk@discussions.microsoft.com> wrote in message
> news:F34A60B7-D45F-4E02-B6E3-62823E088C34@microsoft.com...
> >I think I can offer a solution for this one. I have run into the exact
> >same
> > problem trying to get Kerberos delegated authetication to work in SQL
> > Server
> > when the service is running as a specified domain user account instead of
> > System.
> >
> > First off you will need the setspn.exe utility. I found it on the Windows
> > 2000 Resource Kit CD, but it may be found other places as well (may be
> > online, not sure). Once you have it, run this command:
> >
> > setspn.exe -L [DOMAINNAME]\[USERACCOUNT]
> >
> > where [USERACCOUNT is the account you want to run the service as. In your
> > case, since DCOM uses the default "HOST" service, you should be looking
> > for a
> > line that looks like:
> >
> > HOST/[DNSHOSTNAME]
> >
> > My guess is that you will find that the line doesn't exist. Simply type
> > this command:
> >
> > setspn.exe -A HOST/[DNSHOSTNAME] [DOMAINNAME]\[USERACCOUNT]
> >
> > EXAMPLE (if you worked for ebay, perhaps):
> > setspn.exe -A HOST/virtserver01.ebay.com ebay\Administrator
> >
> > And verify that the entry shows up now by running this again:
> >
> > setspn.exe -L [DOMAINNAME]\[USERACCOUNT]
> >
> > Now try running the service with that user account and see if it works.
> > It's slowly becoming clearer to me why SPNs are needed and what role they
> > play in Kerberos authentication. However, I don't think I have a strong
> > enough grasp of it to clearly explain it to anyone.
> >
> > Here's how MS explains it when it's SQLServer being used and not DCOM:
> > http://msdn.microsoft.com/library/en-us/adminsql/ad_security_2gmm.asp
> >
> > I've cross-referenced a couple other microsoft newsgroups in hopes for
> > verification/further explaination (this falls more into Kerberos
> > authentication than Server virtualization). The only thing I'm unsure of
> > is
> > whether you need to include a port number when running the "setspn -A"
> > command above (something like: setspn.exe -A
> > HOST/virtserver01.ebay.com:[DCOM_TCPPORT] ebay\Administrator). My guess
> > is
> > that you don't.
> >
> > Can anyone from microsoft offer any additional advice?
> > Benny Hauk, Systems Engineer
> >
> > "Nils M. Lunde" wrote:
> >
> >> Ok, this is what I've found out:
> >> The reason why we are getting this message is because the user that the
> >> VirtualServer service runs as, doesn't have the credentials needed to
> >> create
> >> 4 different server principle names.
> >>
> >> I tried to run the VirtualServer service using the System account, and it
> >> was working like a charm.
> >>
> >> So, we need to find out why the user, in most cases the Network Service
> >> user, does not have the credentials needed to create the spn's. Per
> >> default
> >> in Windows 2003 Server this user is supposed to be able to do this.
> >>
> >> Anyone??
> >>
> >> -Nils Magne
> >>
> >> "Nils M. Lunde" <nilsml@options.no.nospam> wrote in message
> >> news:epZbufM%23EHA.3472@TK2MSFTNGP14.phx.gbl...
> >> > Have you been able to solve this?
> >> > I have the same issue on my Windows Server 2003.
> >> > It was working fine, and then all of a sudden I started getting this
> >> > message.
> >> > I am still able to us the Virtual Server, but it takes forever to start
> >> > the service.
> >> >
> >> > -Nils Magne
> >> >
> >> > "WintelRob" <WintelRob@discussions.microsoft.com> wrote in message
> >> > news:96C99C88-DCAB-456D-B1F8-9785A2BCF67D@microsoft.com...
> >> >> Sorry for the long message, but I wanted to provide the neccessary
> >> >> details.
> >> >>
> >> >> I'm sure this has been addressed in the past, but I could find nothing
> >> >> anywhere, except for one BLOG on the Internet.
> >> >>
> >> >> I have been getting errors with Virtual Server since the trial expired
> >> >> and I
> >> >> re-installed a purchased copy.
> >> >>
> >> >> I have nothing in the "Deny" list in the "Virtual Server" DCOM+
> >> >> object,
> >> >> and
> >> >> this software was working on my system. The trial expired. I've
> >> >> installed
> >> >> a
> >> >> purchased copy, but same error no matter what.
> >> >>
> >> >> Tried changing the "Virtial Server", as well as the "VMRC components".
> >> >> Also,
> >> >> tried adding SERVICE.
> >> >>
> >> >> The service that the Virtual Server runs under in via "NT Authority"
> >> >> and
> >> >> the
> >> >> account name is not available to add within apps or the DCOM+
> >> >> components.
> >> >>
> >> >> Here's the Event Log error message:
> >> >>
> >> >> "The service principal name for the VMRC server could not be
> >> >> registered.
> >> >> Automatic authentication will always use NTLM authentication. Error
> >> >> 0x8007200b - The attribute syntax specified to the directory service
> >> >> is
> >> >> invalid."
> >> >>
> >> >>
> >> >> The event ID 1029 doesn't exist anywhere.
> >> >>
> >> >> The user is "NT AUTHORITY\NETWORK SERVICE" which you can't add to
> >> >> anything.
> >> >>
> >> >> The service is running, but it isn't working, and it cannot be
> >> >> administered.
> >> >>
> >> >> I am running Windows XP SP2 with the latest available patches and
> >> >> updates.
> >> >>
> >> >> When I originally installed Virtual Server on XP with SP1, it was
> >> >> great.
> >> >> Then, installing SP2 broke it. I fixed the DCOM+ component, and then
> >> >> it
> >> >> worked again. For 180 days or so.
> >> >>
> >> >> I rebooted, and something I did made the system workable now, though
> >> >> I'm
> >> >> not
> >> >> sure if it was addition of "SYSTEM" to the DCOM+ object, or what. So,
> >> >> could
> >> >> someone tell what the *appropriate* settings are for the Virtual
> >> >> Server
> >> >> DCOM+
> >> >> object? I probably gave way more permissions than necessary.
> >> >>
> >> >> Thanks!!!
> >> >>
> >> >> (I'll post any helpful responses back to that BLOG, since it seems to
> >> >> be
> >> >> the
> >> >> only page that shows up in a search for that error message.)
> >> >
> >> >
> >>
> >>
> >>
>
>
>
- Next message: Chris Hall: "Re: Security Template question"
- Previous message: Old Bob: "firewall"
- In reply to: Nils M. Lunde: "Re: service principal name for the VMRC server could not be regist"
- Next in thread: Alvaro Noreņa: "Re: service principal name for the VMRC server could not be regist"
- Reply: Alvaro Noreņa: "Re: service principal name for the VMRC server could not be regist"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
