Kevin Holman's System Center Blog

Posts in this blog are provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified in the Terms of UseAre you interested in having a dedicated engineer that will be your Mic

OpsMgr 2012: What should the SPN’s look like?

TechNet Blogs > Kevin Holman's System Center Blog > OpsMgr 2012: What should the SPN’s look like?

OpsMgr 2012: What should the SPN’s look like?

Rate This
8 Aug 2011 3:15 PM
  • Comments 7

SPN’s (Service Principal Names) settings are very similar in OpsMgr 2012 as they were in OpsMgr 2007.  However, since the SDK (Data Access) service runs on ALL management servers now… the SPN’s for the SDK (DAS) account will be different now.

If you deploy OpsMgr using a standard domain user account for the SDK service, you might see alerts like the following:

Data Access Service SPN Not Registered

Alert Description:   The System Center Operations Manager SDK service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/OMMS1 and MSOMSdkSvc/OMMS1.opsmgr.net to the servicePrincipalName of OPSMGR\omdas

This is caused by the fact that when the SDK service (System Center Data Access Service) starts up, it tried to ensure/update the SPN on the account that the SDK service is running under.  By default in a domain, a standard user account does not have the right to update its own SPN.  A domain admin should create the SPN in this case.

 

To see if it worked… open a command prompt and verify your SPN for you domain SDK account:

C:\>setspn –L DOMAIN\sdkdomainuseraccount

The output will be:

Registered ServicePrincipalNames for CN=sdkdomainuseraccount,OU=Service Accounts,OU=Accounts,OU=US,DC=domain,DC=com:
        MSOMSdkSvc/OMMS1
        MSOMSdkSvc/OMMS1.opsmgr.net
        MSOMSdkSvc/OMMS2
        MSOMSdkSvc/OMMS2.opsmgr.net

Notice how this has changed from OpsMgr 2007:  The SDK domain account SPN now has SDK SPN’s for ALL management servers, instead of just the RMS.

 

The HealthService SPN’s have not changed for Management server computer accounts, and this is handled automatically and should not require any modification:

C:\>setspn -l omms1

The output:

Registered ServicePrincipalNames for CN=OMMS1,CN=Computers,DC=domain,DC=com:
        MSOMHSvc/OMMS1
        MSOMHSvc/OMMS1.opsmgr.net
        WSMAN/OMMS1.opsmgr.net
        WSMAN/OMMS1
        TERMSRV/OMMS1
        TERMSRV/OMMS1.opsmgr.net
        RestrictedKrbHost/OMMS1
        HOST/OMMS1
        RestrictedKrbHost/OMMS1.opsmgr.net
        HOST/OMMS1.opsmgr.net

 

 

*Note – In SCOM 2012 – you might notice that every time your management server service is restarted, or rebooted, that we log an event (and create an alert) that the SPN’s are incorrect.  This event/alert is in error, it is complaining the the SDK SPN is missing from the management server COMPTUER account, which should ONLY be the case if you were using local system for the SDK service.  Ignore this event and alert.

Comments
Comments
  • 9 Aug 2011 3:55 PM

    Thanks Kevin!

    -Tom

  • Jonathan
    17 May 2012 6:20 AM

    Can you confirm this is correct for OM12?  We are still seeing the errors in the Operations Manager log and alerts generated in OM12 regarding SPN's.  Apparently the SDK wants us to add the SPN to each MS computer, rather than the SDK domain account...

  • 17 May 2012 7:20 AM

    Yes - from what I can tell - the event/alert is a bug, and is incorrect.  The SPN's are the same as they were in OpsMgr 2007 - the SDK SPN for the DAS account should be attached to the domain user account, not the Computer account in the domain.  The only difference between OpsMgr 2007 and OM12 is that there will be multiple SDK SPN's on the domain user account that runs the SDK service, one for each management server since all run the SDK service.

  • Matt Parrant
    10 Jul 2012 3:13 PM

    We setup our SPN's correctly registering the MSOMSdkSvc/<mgmtSvr> SPN's to the SDK service account and removing from the Ops Manager Server computer accounts. However everytime we restart a managment server or just restart the SDK service a duplicate MSOMSdkSvc/mgmtSvr gets registered against the ops manager server account.

  • DJ
    26 Oct 2012 7:48 AM

    Kevin,

    I have new setup of SCOM 2012

    sdk service is running under a user account

    when i go to ADSIEDIT and check spn's under the user account it does not show any spn registered for MSOMSDKSVC

    i see the spn registered for MSOMSDKSVC under the management server computer account

    i have not edited the spn's manually

    is this alright? i do not see any errors in event log whenever the services are restarted...kindly validate

  • Anil
    17 Feb 2013 11:47 PM

    I have a small confusion. Is SPN registration to done at SCOM management server or domain controller?

  • Sadako
    3 May 2013 1:05 PM

    Anil - SPN's are registered in AD, so i doesn't matter where you do it from, so long as the account you're using has Domain Admin privileges. The SPN for the MSOMHSvc entry should point to your management server. (e.g.  MSOMHSvc/ManagementServerName)

Page 1 of 1 (7 items)
Leave a Comment
  • Please add 3 and 4 and type the answer here:
  • Post
Search Blogs
Options
Tags
Archive
Archives