Service Logons Fail Due to Incorrectly Set SPNs

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Kerberos authentication is not possible for services without properly set Service Principal Names (SPNs). SPNs are unique identifiers for services running on servers. Each service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. It is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that service’s SPN to differentiate it from other services running on that computer.

In general, only one SPN should be set for each service. Multiple SPNs can cause clients to connect to the wrong system or the ticket may be encrypted with the wrong key.

Cause

No SPN has been set for a specific service or it has been set incorrectly. If an SPN is not set for a service, then clients have no way to locate that service. Thus, common results of not setting an SPN are the following errors:

  • "0x6 - KDC_ERR_C_PRINCIPAL_UNKNOWN: Client not found in Kerberos database"

  • "0x7 - KDC_ERR_S_PRINCIPAL_UNKNOWN: Server not found in Kerberos database"

These two errors usually indicate that an SPN has not been set correctly. There are many other errors for which the cause might be a missing or incorrectly set SPN including:

  • "0x29 - KRB_AP_ERR_MODIFIED: Message stream modified"

  • "0x1B - KDC_ERR_MUST_USE_USER2USER: Server principal valid for user2user only"

  • "0x8 - KDC_ERR_PRINCIPAL_NOT_UNIQUE: Multiple principal entries in database"

  • "0x1F - KRB_AP_ERR_BAD_INTEGRITY: Integrity check on decrypted field failed"

Solution

To enable a service to authenticate properly, you need to set an SPN for that service.

Because multiple services can run simultaneously under the same account, setting an SPN requires four pieces of information that will make the SPN unique. These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.

An SPN itself consists of ServiceClass**/Host:**Port, where ServiceClass is the service class of the SPN.

You can use the following procedures to configure an SPN.

To add an SPN

  • Type the following at a command prompt:

    setspn -A ServiceClass**/Host:**Port AccountName

To delete an SPN

  • Type the following at a command prompt:

    setspn -D ServiceClass**/Host:**Port AccountName

To view the SPNs that are registered for an account

  • Type the following at a command prompt:

    setspn -L AccountName

To reset the default SPN registrations for the host names for an account

  • Type the following at a command prompt:

    setspn -R AccountName

Setspn Parameters

The following section describes the parameters for the Setspn.exe tool:

  • -A Adds the specified SPN for the computer.
  • -D Deletes the specified SPN for the computer.
  • -L Lists the currently registered SPN for the computer. This parameter is the default: setspn run without this parameter also lists the registered SPNs.
  • -R Resets the default SPN registrations for the host names for Computer.
  • ServiceClass SPN service class assigned to the service.
  • Host The computer to which the SPN belongs is all the names by which a computer on which the service is running can be referenced. This usually includes a NetBIOS name, a fully qualified domain name (FQDN), and any aliases that might have been assigned to this computer. A separate SPN will need to be set for each name by which the computer can be referenced, with the Host parameter changing respectively.
  • Port The port that the service is running on. It is recommended to include the port even if it is a default port for the service.
  • AccountName The name of the domain account under which the service runs. If the service runs as Local System or the network service, you usually do not need to set an SPN explicitly for the service because most common SPN service classes will automatically be mapped to the HOST/ SPN which is in turn automatically generated for each computer account.

For more information about using Setspn.exe to manipulate service principal names for accounts, see Setspn.exe: Manipulate Service Principal Names for Accounts on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=43030).

Cause

Duplicate SPNs are set for the service, and the Kerberos Distribution Center (KDC) does not know which one is correct. Thus, common results of duplicate SPNs are the following errors:

  • 0x8 - KDC_ERR_PRINCIPAL_NOT_UNIQUE: Multiple principal entries in database

  • 0x29 - KRB_AP_ERR_MODIFIED: Message stream modified errors

These two errors usually indicate that there are duplicate SPNs. Furthermore, there are many other errors for which the cause might be duplicate SPNs. Kerberos authentication is not possible without properly set SPNs.

Solution

To enable a service to authenticate properly, you need to make sure that the service has only one SPN. First, find the duplicate SPNs and then delete one of them.

To find the duplicate SPNs by using the LDP tool

  1. Click Start, then click Run, type LDP, and then click OK.

  2. On the Connection menu, click Connect.

  3. If you are on the domain controller, leave the default settings, and then click OK. If you are not on the domain controller, type the domain controller name in the Server text box, and then click OK.

  4. On the Connection menu, click Bind.

  5. Type User, Password, and Domain in the corresponding text boxes, and then click OK.

  6. On the View menu, click Tree.

  7. In the Tree View dialog box, type the base distinguished name in the BaseDN text box or select it from the pull-down menu.

  8. On the Browse menu, click Search.

  9. In the Search dialog box, type the base distinguished name in the BaseDN box or select from the pull-down menu.

  10. In the Search dialog box, type the following in the Filter box:

    serviceprincipalname=SPN/FQDN

    For SPN, type the Service Principal Name that the error refers to - for example, HOST for computer accounts, HTTP for Web services.

  11. Under Scope, click the Subtree option.

  12. Click Run.

For more information about using Ldp.exe to search Active Directory, see Using Ldp.exe to Find Data in the Active Directory on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=23064).

If there are duplicate SPNs listed, delete the appropriate SPN by using the following command:

To delete an SPN

  • Type the following at a command prompt:

    setspn -D ServiceClass**/Host:**Port AccountName

For information about the parameters for setspn.exe, see Setspn parameters.

For more information about how to use the Windows Support Tools, see Introduction to Support Tools on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=38906).