Re: service principal name for the VMRC server could not be regist
From: Alvaro Noreņa (alvaro6_at_msn.com)
Date: 01/28/05
- Next message: Molnir: "Re: Patch Management"
- Previous message: Kerodo: "Re: IPSEC"
- In reply to: Benny Hauk: "Re: service principal name for the VMRC server could not be regist"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 27 Jan 2005 21:29:50 -0500
Hi guys, i`ve already configured virtual server with trusted delegation, but
i`m having problems with Authentication, even tried any auth. method,
nevermid . . . i`ve already tried to config virtual server with an AD user
account, have the same problem, about snp registration, configure it but the
problem goes on, any sugestion??? how did you did it run??, thanks
Alvaro N.
alvaro6@msn.com
"Benny Hauk" <BennyHauk@discussions.microsoft.com> wrote in message
news:E0FABF72-CA93-4695-8B86-6BEF48D64C4B@microsoft.com...
> Good questions... I'm not sure how you would specify the NetworkService
> account. I've only done this with manually created user accounts.
>
> Changed made by using setspn aren't made locally, but rather are made in
> active directory (or perhaps on the DNS server). Either way, yes the
changes
> persist. setspn creates/modifies/deletes "SPN" dns records if I remember
> correctly.
>
> Benny Hauk
>
> "Nils M. Lunde" wrote:
>
> > Thank you for this thorough answer!
> > I've tried what you suggested, but my problem is that setspn-program
doesn't
> > find the NetworkService account.
> > Should I create a new account and run the VirtualServer service using
this?
> >
> > Another question: Do I have to run setspn.exe each time I restart the
> > server, or will it be persistant?
> >
> > Cheers,
> > Nils Magne Lunde
> >
> >
> > "Benny Hauk" <BennyHauk@discussions.microsoft.com> wrote in message
> > news:F34A60B7-D45F-4E02-B6E3-62823E088C34@microsoft.com...
> > >I think I can offer a solution for this one. I have run into the exact
> > >same
> > > problem trying to get Kerberos delegated authetication to work in SQL
> > > Server
> > > when the service is running as a specified domain user account instead
of
> > > System.
> > >
> > > First off you will need the setspn.exe utility. I found it on the
Windows
> > > 2000 Resource Kit CD, but it may be found other places as well (may be
> > > online, not sure). Once you have it, run this command:
> > >
> > > setspn.exe -L [DOMAINNAME]\[USERACCOUNT]
> > >
> > > where [USERACCOUNT is the account you want to run the service as. In
your
> > > case, since DCOM uses the default "HOST" service, you should be
looking
> > > for a
> > > line that looks like:
> > >
> > > HOST/[DNSHOSTNAME]
> > >
> > > My guess is that you will find that the line doesn't exist. Simply
type
> > > this command:
> > >
> > > setspn.exe -A HOST/[DNSHOSTNAME] [DOMAINNAME]\[USERACCOUNT]
> > >
> > > EXAMPLE (if you worked for ebay, perhaps):
> > > setspn.exe -A HOST/virtserver01.ebay.com ebay\Administrator
> > >
> > > And verify that the entry shows up now by running this again:
> > >
> > > setspn.exe -L [DOMAINNAME]\[USERACCOUNT]
> > >
> > > Now try running the service with that user account and see if it
works.
> > > It's slowly becoming clearer to me why SPNs are needed and what role
they
> > > play in Kerberos authentication. However, I don't think I have a
strong
> > > enough grasp of it to clearly explain it to anyone.
> > >
> > > Here's how MS explains it when it's SQLServer being used and not DCOM:
> > > http://msdn.microsoft.com/library/en-us/adminsql/ad_security_2gmm.asp
> > >
> > > I've cross-referenced a couple other microsoft newsgroups in hopes for
> > > verification/further explaination (this falls more into Kerberos
> > > authentication than Server virtualization). The only thing I'm unsure
of
> > > is
> > > whether you need to include a port number when running the "setspn -A"
> > > command above (something like: setspn.exe -A
> > > HOST/virtserver01.ebay.com:[DCOM_TCPPORT] ebay\Administrator). My
guess
> > > is
> > > that you don't.
> > >
> > > Can anyone from microsoft offer any additional advice?
> > > Benny Hauk, Systems Engineer
> > >
> > > "Nils M. Lunde" wrote:
> > >
> > >> Ok, this is what I've found out:
> > >> The reason why we are getting this message is because the user that
the
> > >> VirtualServer service runs as, doesn't have the credentials needed to
> > >> create
> > >> 4 different server principle names.
> > >>
> > >> I tried to run the VirtualServer service using the System account,
and it
> > >> was working like a charm.
> > >>
> > >> So, we need to find out why the user, in most cases the Network
Service
> > >> user, does not have the credentials needed to create the spn's. Per
> > >> default
> > >> in Windows 2003 Server this user is supposed to be able to do this.
> > >>
> > >> Anyone??
> > >>
> > >> -Nils Magne
> > >>
> > >> "Nils M. Lunde" <nilsml@options.no.nospam> wrote in message
> > >> news:epZbufM%23EHA.3472@TK2MSFTNGP14.phx.gbl...
> > >> > Have you been able to solve this?
> > >> > I have the same issue on my Windows Server 2003.
> > >> > It was working fine, and then all of a sudden I started getting
this
> > >> > message.
> > >> > I am still able to us the Virtual Server, but it takes forever to
start
> > >> > the service.
> > >> >
> > >> > -Nils Magne
> > >> >
> > >> > "WintelRob" <WintelRob@discussions.microsoft.com> wrote in message
> > >> > news:96C99C88-DCAB-456D-B1F8-9785A2BCF67D@microsoft.com...
> > >> >> Sorry for the long message, but I wanted to provide the neccessary
> > >> >> details.
> > >> >>
> > >> >> I'm sure this has been addressed in the past, but I could find
nothing
> > >> >> anywhere, except for one BLOG on the Internet.
> > >> >>
> > >> >> I have been getting errors with Virtual Server since the trial
expired
> > >> >> and I
> > >> >> re-installed a purchased copy.
> > >> >>
> > >> >> I have nothing in the "Deny" list in the "Virtual Server" DCOM+
> > >> >> object,
> > >> >> and
> > >> >> this software was working on my system. The trial expired. I've
> > >> >> installed
> > >> >> a
> > >> >> purchased copy, but same error no matter what.
> > >> >>
> > >> >> Tried changing the "Virtial Server", as well as the "VMRC
components".
> > >> >> Also,
> > >> >> tried adding SERVICE.
> > >> >>
> > >> >> The service that the Virtual Server runs under in via "NT
Authority"
> > >> >> and
> > >> >> the
> > >> >> account name is not available to add within apps or the DCOM+
> > >> >> components.
> > >> >>
> > >> >> Here's the Event Log error message:
> > >> >>
> > >> >> "The service principal name for the VMRC server could not be
> > >> >> registered.
> > >> >> Automatic authentication will always use NTLM authentication.
Error
> > >> >> 0x8007200b - The attribute syntax specified to the directory
service
> > >> >> is
> > >> >> invalid."
> > >> >>
> > >> >>
> > >> >> The event ID 1029 doesn't exist anywhere.
> > >> >>
> > >> >> The user is "NT AUTHORITY\NETWORK SERVICE" which you can't add to
> > >> >> anything.
> > >> >>
> > >> >> The service is running, but it isn't working, and it cannot be
> > >> >> administered.
> > >> >>
> > >> >> I am running Windows XP SP2 with the latest available patches and
> > >> >> updates.
> > >> >>
> > >> >> When I originally installed Virtual Server on XP with SP1, it was
> > >> >> great.
> > >> >> Then, installing SP2 broke it. I fixed the DCOM+ component, and
then
> > >> >> it
> > >> >> worked again. For 180 days or so.
> > >> >>
> > >> >> I rebooted, and something I did made the system workable now,
though
> > >> >> I'm
> > >> >> not
> > >> >> sure if it was addition of "SYSTEM" to the DCOM+ object, or what.
So,
> > >> >> could
> > >> >> someone tell what the *appropriate* settings are for the Virtual
> > >> >> Server
> > >> >> DCOM+
> > >> >> object? I probably gave way more permissions than necessary.
> > >> >>
> > >> >> Thanks!!!
> > >> >>
> > >> >> (I'll post any helpful responses back to that BLOG, since it seems
to
> > >> >> be
> > >> >> the
> > >> >> only page that shows up in a search for that error message.)
> > >> >
> > >> >
> > >>
> > >>
> > >>
> >
> >
> >
- Next message: Molnir: "Re: Patch Management"
- Previous message: Kerodo: "Re: IPSEC"
- In reply to: Benny Hauk: "Re: service principal name for the VMRC server could not be regist"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
