Welcome to TechNet Blogs Sign in | Join | Help

System Center Operations Manager SDK service failed to register an SPN

System Center Operations Manager SDK service failed to register an SPN

 

 

Have you seen this event in your RMS OpsMgr event logs?

 

Event Type:      Warning

Event Source:   OpsMgr SDK Service

Event Category:            None

Event ID:          26371

Date:                12/13/2007

Time:                2:58:24 PM

User:                N/A

Computer:         RMSCOMPUTER

Description:

The System Center Operations Manager SDK service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/rmscomputer and MSOMSdkSvc/rmscomputer.domain.com to the servicePrincipalName of DOMAIN\sdkaccount

 

This seems to appear in the RC1-SP1 build of OpsMgr.

 

Every time the SDK service starts, it tries to update the SPN’s on the AD account that the SDK service runs under.  It fails, because by default, a user cannot update its own SPNs.  Therefore we see this error logged.

 

If the SDK account is a domain admin – it does not fail – because a domain admin would have the necessary rights.  Obviously – we don’t want the SDK account being a domain admin…. That isn’t required nor is it a best practice.

 

Therefore – to resolve this error, we need to allow the SDK service account rights to update the SPN.  The easiest way, is to go to the user account object for the SDK account in AD – and grant SELF to have full control.

 

A better, more granular way – is to only grant SELF the right of modifying the SPN:

 

  • Run ADSIEdit as a domain admin.
  • Find the SDK domain account, right click, properties.
  • Select the Security tab, click Advanced.
  • Click Add.  Type “SELF” in the object box.  Click OK.
  • Select the Properties Tab.
  • Scroll down and check the “Allow” box for “Read servicePrincipalName” and “Write servicePrincipalName”
  • Click OK.  Click OK.  Click OK.
  • Restart your SDK service – if AD has replicated from where you made the change – all should be resolved.

 To check SPN's:

The following command will show all the HealthService SPN's in the domain:

    Ldifde -f c:\ldifde.txt -t 3268 -d DC=DOMAIN,DC=COM -r "(serviceprincipalname=MSOMHSvc/*)" -l serviceprincipalname -p subtree
 

To view SPN's for a specific server: 

    "setspn -L servername"

 

 

Published Thursday, December 13, 2007 10:52 PM by kevinhol

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# SCOM SP1 - SDK SPN Not Registered Alert

Sunday, March 09, 2008 10:57 PM by Ying Li at myITforum.com

After I upgrade to SCOM SP1, everytime I restart SDK service, I got the below alert: Alert: SDK SPN Not

# re: System Center Operations Manager SDK service failed to register an SPN

Tuesday, July 22, 2008 2:56 PM by Kerry Gerhard

I'm not domain admin: what to do?

The suggested fix in the alert is not working for me.  Is this because I'm not domain admin?

(from alert)

• Setspn.exe –A MSOMSDK/<RMS FQDN> domain\username (this is the SDK service account name)

• Setspn.exe –A MSOMSDK/<RMS NETBIOS> domain\username

Note: If the RMS is clustered, you should use the virtual server name

# re: System Center Operations Manager SDK service failed to register an SPN

Tuesday, July 22, 2008 3:07 PM by kevinhol

Setting the SPN manually will not solve the event 26371.  The SDK account will still try and UPDATE the SPN on each start.  If you want to see the error go away - you must allow the SDK account the rights to update its own SPN.

# Operations Manager 2007 SPN's

Thursday, August 14, 2008 2:16 AM by Jonathan Almquist on Operations Manager

There's a lot of confusion about SPN's (service principal name) when it comes to OpsMgr.&#160; How are

# re: System Center Operations Manager SDK service failed to register an SPN

Wednesday, October 22, 2008 6:25 PM by Hayden Trail

I just had this issue with a customer and found that even though the account had access to update its own spn it was still producing the warning event.  The problem in this environment was that the service account did not have access to read the OU that it was in, once this was granted the warning was gone.  Hopefully this might help people.

# re: System Center Operations Manager SDK service failed to register an SPN

Thursday, November 06, 2008 9:05 AM by Tom Brady

We receive the following AD Error on our DC: There are multiple accounts with name MSOMSdkSvc/RMS of type DS_SERVICE_PRINCIPAL_NAME.

I have found the SPNs in our environment are for the RMS machine account:

MSOMSdkSvc/rms.domain.com

MSOMSdkSvc/rms

MSOMHSvc/rms.domain.com

MSOMHSvc/rms

HOST/rms.domain.com

HOST/rms

And for the SDKService account:

MSOMSdkSvc/rms.domain.com

MSOMSdkSvc/rms

So we have the same SPN set for the Service account and the machine account and it is throwing up an error indicating this.

My question is it the best practice to set a Local System account for the health/sdk service on the RMS or a domain account.  If it is the BP for a domain account than I assume we should just ignore the AD error about duplicate SPNs?  I have seen many different views on whether account should be running the SDK/Health services and need a little clarification.

Thank you for the great site!

# re: System Center Operations Manager SDK service failed to register an SPN

Monday, October 12, 2009 4:21 AM by Trikke

Can anyone provide an example on how the SPN's should be registered for a clustered RMS?

Do i need to register the nodes or the cluster or the application layer?

Leave a Comment

(required) 
required 
(required) 

  
Enter Code Here: Required
 
Page view tracker