SDK SPN Not Registered
Attention: Please also read my other post about Operations Manager 2007 SPN’s to gain a full understanding of all that is required.
I started seeing these alerts after upgrading my Management Group to SP1. This warning alert (Operations Manager SDK service failed to register an SPN) occurred each time the SDK Service on my RMS restarted.
This is the actual event in the Operations Manager event log on the RMS.
Event Type: Warning
Event Source: OpsMgr SDK Service
Event Category: None
Event ID: 26371
Date: 3/12/2008
Time: 11:25:22 AM
User: N/A
Computer: OMRMS
Description:
The System Center Operations Manager SDK service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/OMRMS and MSOMSdkSvc/OMRMS.opsmgrlab.com to the servicePrincipalName of OPSMGRLAB\SCOM-SDK
I verified the SPN was registered for the SDK Service by running SETSPN -L. Even still, I verified there were no duplicate entries using the DHCheck.exe tool.
The summary in the alert states "...the SDK service needs to register SPN's for itself". So, the suggested resolution is slightly misleading, and I'll tell you why. Each time the SDK Service is started on the RMS, it attempts to register its SPN. The account that the service logs on with is your SDK account (in my case SCOM-SDK, which is an Active Directory account). When you create a user account in Active Directory, the account does not inherently receive Allow Read servicePrincipalName and Write servicePrincipalName permissions for the object. Given that the SDK Service needs to register SPN's for itself, we need to give our SDK account Allow permission on these properties.
If you had manually registered the SDK SPN (which is what I recommend), you can disable this rule. Regardless if the SPN is already registered or not, the SDK will still always attempt to read this attribute. The alert is somewhat misleading, as this rule will always detect an issue with the SDK SPN because the SDK account cannot read this property in its default configuration.
If you had not manually registered the SDK SPN, and you'd like it to register itself...then you'd need to give it appropriate permissions to register it's SPN in AD.
Open ADSIEdit.msc on your DC. Navigate to the account you created for your SDK Service. Right-click > Properties. Click Security tab. Click Advanced > Click add > type in SELF > Click OK. Click Properties tab. Open the Apply Onto drop-down list > select This object only. Scroll the properties list down until you find Read servicePrincipalName and Write servicePrincipalName. Select Allow for both. Click OK until all dialogue boxes are closed. Restart the SDK Service on the RMS.
