My experience with Microsoft technology

My experience with Microsoft technology

Enable service accounts in an OU to register SPNs for themselves

leave a comment »

I was just installing the Operations Manager 2012 Beta in my lab and I saw a familiar alert in the console:

spn0

If you don’t want to fiddle around with manually registering the SPNs I show you a quick way to enable all Accounts in an OU to register the SPNs for themselves.

Open adsiedit and connect to the default naming context:

spn1

 

Go to the properties of the OU holding your service accounts:

spn2

In the Advanced Security Dialog add SELF and edit the permissions. Go to the Properties tab and check the boxes to allow Read servicePricipleName and Write servicePricipleName for the Descendant User objects.

spn3

After the next restart your Management Server will register it’s SPNs. You can check if it is working correctly by running this commands:

SDK: SETSPN -L <your domain>\<sdk domain account>
Health Service: SETSPN -L <servername>
SQL Service: SETSPN -L <your domain>\<sql service account>

You can learn more about the SPNs (Operations Manager 2007) and how to allow a single user account to register it’s SPN on Jonathan Almquist’s blog:

blogs.technet.com/b/jonathanalmquist/archive/2008/08/14/operations-manager-2007-spn-s.aspx

blogs.technet.com/b/jonathanalmquist/archive/2008/03/12/sdk-spn-not-registered.aspx

Advertisements

Written by alexanderschmitt

24. August 2011 at 15:49

Posted in Miscellaneous

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

%d bloggers like this: