Wednesday, July 04, 2012 8:14 AM
we have a problem with duplicate SPNs on one of our SCOM 2012 MS analog to the Thread http://social.technet.microsoft.com/Forums/en-US/operationsmanagergeneral/thread/c06dc6d7-38b4-4f82-8915-5ce2992cd704/.
The MSOMSdkSvc/mycomputer SPN is registered as well for the Serviceaccount as for the machine account. SDK and Config Service is running under the Serviceaccount. Of course we can delete the machine SPNs, but after some time (or a reboot) the machine account SPNs reappear...
How can we prevent the machine account to register the SPNs?
Sunday, July 08, 2012 8:37 PM
In order to register a SPN you need Domain Administrator permission. In a SCOM deployment scenario there is no need to have domain admin permission for any account. If you set the permission to Domain User the account won't be able to register the SPN. You cann Register the SPN manually by typing
setspn -S MSOMSdkSvc/mycomputer domain\sdkaccount
setspn -S MSOMSdkSvc/mycomputer.domain.com domain\sdkaccount
Wednesday, July 18, 2012 11:11 AM
after doing a little research and some discussions with MS PSS:
There is a bug in SCOM 2012 / 2007. If you run the SDK Service under a service account, the Service always tries to register the MSOMSdkSvc SPN for the machine account AND the service account. Hence you will have duplicate SPNs.
Only available and working workaround:
On the machine account in AD ds for the machine account itself and for the service account. The service still tries to register the SPNs, but gets an access denied error from AD. This will cause the Event 26371 in the OpsMgr Eventlog, but it can be ignored accoring to Keven Holman.
Wednesday, July 18, 2012 12:22 PM
You can find a better explanation here:
Wednesday, July 18, 2012 2:08 PMYep, that's the link i refered to above. Thanks :)