TechTutorials - Free Computer Tutorials  







SPN could not be registered for VMRC on a Domain Controller 
 


Added: 11/08/2005, Hits: 4,974, Rating: 0, Comments: 0, Votes: 0
Add To Favorites | Comment on this article
After installing Virtual Server 2005 on my Windows 2003 domain controller the Virtual Server event log displayed this error message each time the Virtual Server was restarted.

Quote :

Event ID 1029 - The service principal name for the VMRC server could not be registered. Automatic authentication will always use NTLM authentication. Error 0x80072098 - Insufficient access rights to perform the operation.


As the message clearly states, the problem is with permissions. First place I looked was the account the Virtual Server was starting as, which was the NT AuthorityNetworkService. I thought this would be Local System account as that was the option I choose at the installation screen -

Quote :

Configure the Administration Website to always run as the authenticated user, or select Configure the Administration Website to always run as the Local System account. Then, click Next.


Disregarding this mismatch of choice and end result, I decided to follow the normal best practice of creating an account specifically for each service with elevated privilages named VSSrv and give it domain admin privilages. When the Virtual Server service was restarted with the service started a lot quicker with no errors.

The following SPNs were also added (displayed using the setspn -L %Servername% command)

Quote :

-vmrc/TDS-HostServer1.Testnetwork.Internal:5900
-vmrc/TDS-HostServer1:5900
-vssrvc/TDS-HostServer1.Testnetwork.Internal
-vssrvc/TDS-HostServer1


At this point I have not taken the time to figure out what effect this would have on contrained delegation, so bare this in mind if you decide to recycle this information.





Comments (0)

Be the first to comment on this article


Related Items








7 Seconds Resources, Inc.




IT Showcase