Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

Lakshmi J — Thu, 09 Dec 2010 16:52:59 GMT

Thank You!

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

greener85 — Wed, 08 Dec 2010 17:47:34 GMT

Please do the action plan that Ned is listing out.

But also, think about what happened just prior to that time of deletion. Also I have a question for you. This SQL Instance where the SPN is getting deleted. Is this possibly a SQL Cluster?

There is a known issue with SQL Cluster when it fails over, it will delete the SPN on the node that is stopping. When this is done, the domain controller removes the SPN. Then the starting node will register the SPN. So as you can see there is a possibility that the nodes are communicating with two different domain controllers in the AD site. Thus last writer wins when AD replication happens.

If the last writer just happens to be the node that is stopping for some reason, you get a servicePrincipalName attribute that is missing your required MSSQLSvc SPN.

Also, starting in Windows Vista/2008 and higher, the Terminal Service will also register its SPN at at start. If this only happens when the computer restarts, then it could be a similar situation as above. SQL registers the SPN against DC1, then TermServ is registered against DC2. Last writer wins, and the ServicePrincipalName attribute on DC2 did not include the MSSQLSvc SPN and thus it is not there when AD replication happens.

Rob Greene

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

NedPyle [MSFT] — Wed, 08 Dec 2010 14:21:45 GMT

Hi,

Start by running REPADMIN.EXE /SHOWMETA <DN of that object getting its SPN's deleted> after the SPN is deleted *but before you fix the SPN*. This will tell you when the deletion happened and from which DC it originated. If you do this a couple times and find that it's always the same DC, you'd want to investigate for a script or other process running on that server, as well as the computers running in that DC's site. You should also enable DS Access Auditing and set auditing security entries on that object to perhaps see if there's an associated account doing it everytime; that might give more clues.

I agree that the advice you got from those SQL conference people is likely mistaken.

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

Lakshmi J — Tue, 07 Dec 2010 16:33:05 GMT

Hi :

Great Post. How do we resolve a missing SPN issue ( We create the SPN but they get deleted randomly)

Here is the issue raised by our SQL folks:

=============================================================================================

SPN entries getting repeatedly deleted from AD . When I was in Seattle at the SQL Server user group conference, I brought this issue up with several engineers from Microsoft, who said it was most likely an AD container sync problem.

==============================================================================================

Our AD infrastructure is pretty healthy and i am unable to see how this is a sync issue.

Thanks for the Help

Regards

Lakshmi

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

jsmith — Fri, 29 May 2009 00:01:47 GMT

Rob,

Your suggestion about using msds-additionalDnsHostName solved the problem. Thanks for your expertise and help!

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

greener85 — Tue, 12 May 2009 21:09:08 GMT

Hey JSmith,

So I did some testing today. Here is how you should be able to make this work on your domain controller.

Launch ADSIEdit.msc and select the properties of the domain controller. You will want to add the other DNS name to the following attribute on the DC Computer object.

msds-additionalDnsHostName

Hope this helps.

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

greener85 — Tue, 12 May 2009 01:42:35 GMT

Hey JSmith,

First let me say thank you for the kind remarks from all of us here that write content for AskDS.

So I think I know at some level what might be happening to you.

I think that Netlogon on the domain controller is writing or doing something with the DNSHostName attribute on the domain controller computer account in Active Direcotry.

So I worked this case one time, where the customer thought it would be cool to change the computers DNS suffix based on the AD site that they belonged to which caused what we call a Disjointed name space on for the client machines.

When a computer boots up it checks the DNSHostName attribute on the account. If the name does not reflect the current DNS suffix on the machine it changes it.

Then later in LSASS code on the domain controller it will go through and change the Service Principal Name attributes to match the DNSHostName attribute. Since this is a domain controller it is going to re-write all service names and delete ones that should not be there.

I am currently not sure why we would be writing these values back if the name is not changing. However there is some very specific code in LSASS in regards to domain controllers that you might be seeing this behavior. Another thought that a coworker had is that the KCC might be causing this since it does run every 15 minutes.

Thinking about your problem, you might try to use the optionalNames registry key on the domain controller. I am not positive if this will resolve the issue or not but you might want to give it a try.

891607 The supported method of using the OptionalNames registry entry on a computer that is running Windows 2000 or Windows Server 2003

http://vkbexternal/VKBWebService/ViewContent.aspx?scid=KB;EN-US;891607

Rob Greene

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

jsmith — Fri, 08 May 2009 21:43:36 GMT

Thanks for making a difficult subject understandable.

How do you set a spn on a domain controller? No matter what I do, ADSIedit or Setspn, in about 15 minutes or a reboot, the DC removes the entries.

We have a CNAME record "ldap" pointing to a domain controller DNS A record. This is because we don't want our many developers explicitly using a domain controller hostname in their code. When I create "ldap/ldap" and "ldap/ldap.mydomain.com", the ldap queries successfully use Kerberos. However, after a few minutes, the DC removes the SPN's and then the queries fall back to NTLM. I thought maybe the "ldap/ldap" or "ldap/ldap.mydomain.com" was special so I simply created a "host/tobeornottobe", rebooted, and the dc removed it. Any suggestions?

Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 3

Ask the Directory Services Team — Wed, 11 Jun 2008 21:30:28 GMT

Now we have seen what it looks like when there is no Service Principal Name defined , and when the Service

Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2

Ask the Directory Services Team — Mon, 09 Jun 2008 20:35:18 GMT

So, we saw in Part 1 what kind of error you could expect when there is no Service Principal Name defined