Service Principal Name missing

[This topic is intended to address a specific issue called out by the Exchange Server Analyzer Tool. You should apply it only to systems that have had the Exchange Server Analyzer Tool run against them and are experiencing that specific issue. The Exchange Server Analyzer Tool, available as a free download, remotely collects configuration data from each server in the topology and automatically analyzes the data. The resulting report details important configuration issues, potential problems, and nondefault product settings. By following these recommendations, you can achieve better performance, scalability, reliability, and uptime. For more information about the tool or to download the latest versions, see "Microsoft Exchange Analyzers" at https://go.microsoft.com/fwlink/?linkid=34707.]  

Topic Last Modified: 2010-05-24

The Microsoft Exchange Server Analyzer Tool queries the Active Directory directory service to find the values returned for the servicePrincipalName attribute of the Exchange server computer accounts. The following table lists the Exchange resource servicePrincipalName values and the values that are expected to be returned for the resource on computers that are running Microsoft Exchange Server 2007 or an earlier version.

Exchange Resource servicePrincipalName value Expected Value Returned

exchangeMDB

Fully Qualified Domain Name (FQDN)

exchangeMDB

NetBIOS name

exchangeRFR

Fully Qualified Domain Name (FQDN)

exchangeRFR

NetBIOS name

SMTP

Fully Qualified Domain Name (FQDN)

SMTP

NetBIOS name

SMTPSVC

Fully Qualified Domain Name (FQDN)

SMTPSVC

NetBIOS name

HOST

Fully Qualified Domain Name (FQDN)

HOST

NetBIOS name

In Microsoft Exchange Server 2010, the servicePrincipalNames that are present will depend on the role that is installed on the computer. The following table lists the Exchange resource servicePrincipalName values and the values that are expected to be returned for the resource on computers that are running m,Exchange Server 2010.

Role Exchange Resource servicePrincipalName value Expected Value Returned

All Roles

HOST

Fully qualified domain name (FQDN)

All Roles

HOST

NetBIOS name

Client Access Server

exchangeAB

Fully qualified domain name (FQDN)

Client Access Server

exchangeAB

NetBIOS name

Client Access Server

exchangeRFR

Fully qualified domain name (FQDN)

Client Access Server

exchangeRFR

NetBIOS name

Mailbox Role OR Client Access Server

exchangeMDB

Fully qualified domain name (FQDN)

Mailbox Role OR Client Access Server

exchangeMDB

NetBIOS name

Hub Transport OR Edge Transport

SMTP

Fully qualified domain name (FQDN)

Hub Transport OR Edge Transport

SMTP

NetBIOS name

Hub Transport OR Edge Transport

SMTPSVC

Fully qualified domain name (FQDN)

Hub Transport OR Edge Transport

SMTPSVC

NetBIOS name

If the Exchange Server Analyzer finds that the servicePrincipalName attribute for the computer account of an Exchange resource is missing one of the expected values that are listed here, the Exchange Server Analyzer displays an error.

A Service Principal Name (SPN) is a unique name that identifies an instance of a service and that is associated with the logon account under which the service instance runs. Kerberos authentication is not possible for Exchange services without properly set SPNs.

  • Authentication issues between clients that run Microsoft Office Outlook 2003 or later and the Exchange Information Store (mailbox data) may indicate the lack of a valid SPN for the exchangeMDB resource.

  • Outlook 2003 or later clients that have Active Directory authentication issues may indicate the lack of a valid SPN for the exchangeRFR resource.

  • Authentication failures between Simple Mail Transport Protocol (SMTP) virtual servers may indicate the lack of a valid SPN for the SMTPSVC or HOST resource.

To resolve this issue, follow these steps to add the missing values for the affected attributes.

Note

If you are experiencing this issue in an Exchange 2007 Cluster environment, follow the guidance in Microsoft Knowledge Base article 935676, "Event ID 9317 is logged when the Microsoft Exchange System Attendant service comes online on an Exchange 2007 cluster node" (https://go.microsoft.com/fwlink/?linkid=3052&kbid=935676).

Use the SETSPN.exe tool to add an SPN with the missing values

  1. Install the Setspn.exe tool. To obtain the Setspn.exe tool, see "Windows 2000 Resource Kit Tool : Setspn.exe" (https://go.microsoft.com/fwlink/?LinkId=28103).

    The Windows Server 2003 version of the Setspn.exe command-line tool is available in the Windows Server 2003 Support Tools that are included on the Windows Server 2003 CD. To install the Server 2003 Support Tools, double-click the Suptools.msi file in the Support/Tools folder.

  2. Follow the guidance in the SETSPN.EXE Setspn_d.txt file to add the missing value to the Active Directory object for your Exchange server. The following example demonstrates adding the FQDN value for a virtual SMTP server SPN:

    • Open a command prompt, and then change to the directory where you installed Setspn.exe.

    • At the command prompt, type the following command, and then press Enter.

      **setspn.exe -a SMTPSVC/**mail.yourdomain.com YOURSERVERNAME

      Note

      Replace mail.yourdomain.com with your SMTP virtual server FQDN and YOURSERVERNAME with the name of the Exchange server. There is no space between SMTPSVC/ and mail.yourdomain.com in the command above.