Solution: Unable to add a managed host in SCVMM 2008, Error 2927 (0x8033809d)

fixAdding a managed host in System Center Virtual Machine Manager 2008 may fail with the following error messages:

From the VMM admin console:

Error (2927)
A Hardware Management error has occurred trying to contact server %server.
(Unknown error 0x8033809d))

Recommended Actions
Check that WinRM is installed and running on server %server.  For more information use the command "winrm helpmsg hrresult".

The following event may also be logged in the System event log :

Log Name:       System
Source:            Microsoft-Windows-Security-Kerberos
Date:               23/04/2009 2:08:30 PM
Event ID:          4
Task Category: None
Level:              Error
Keywords:         Classic
User:               N/A
Computer:        %server%.
Description:  The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server %server%. The target name used was HTTP/%server%.. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Cause: This problem occurs because two or more computer accounts have the same service principal name (SPN) registered. Event ID 11 is logged when the Key Distribution Center (KDC) receives a ticket request, and the related SPN exists more than one time when it is checked on the global catalog (GC) for forest wide verification.

Resolution: To resolve this problem, locate the computer or user accounts that have the duplicate SPNs.  When you have located the computers that have the duplicate SPNs, you can delete the computer account from the domain, disjoin and rejoin the computer to the domain, or you can use ADSIEdit to correct the SPN on the computer that has the incorrect SPN.

To locate the computer accounts that have the duplicate SPNs, use the following steps :

1.    Use the querySpn.vbs script in the following Microsoft TechNet article. To use the script, copy the code, paste it into Notepad, and then save the script as querySpn.vbs.

2.    Run the script by using the following command:

    cscript spnquery.vbs HOST/mycomputer* > c:\check_SPN.txt

3.    Open the check_SPN.txt file in Notepad, and then search for the SPN that is reported in the event log.

4.    Note the user accounts and the computer accounts under which the SPN is located.

5.    Use ADSIedit.msc to remove the duplicate SPN and register on correct object.

Mike Briggs | Senior Support Escalation Engineer