From time to time I see errors occur when services fail to register SPN’s properly. What is an SPN? Its a Service Principal Name and represents a service account’s way of logging on to the domain through Kerberos. Users normally have a UPN or a User Principal Name typically in the form of firstname.lastname@example.org
Advanced Group Policy Management’s service uses SPN’s the same way services like Exchange and SQL do. Sometimes SPN’s can be misregistered or misconfigured especially if you need to change the service account name that the service logs on with. First you want to view the current registration to make sure you have it right so use the utility SetSPN thats provided in Windows to check it. Then when you know what the current registration is, you can change it to what you want it to be.
Heres how to change it:
- SetSPN –L <your service account for AGPM/SQL/Exchange>. This will show you what the current registration is for that service account.
- SetSPN –A Servicename/FQDN of hostname/FQDN of domain domain\serviceaccount
To make it a little easier to see here is a screenshot of my server where Ive set an SPN for my AGPM Server:
The first line is where Ive queried for current registrations against a particular service account. The second line is an example of how to set the SPN. Note the format is in line with my example above.
Hope this helps!