Win2012 Ndes Service SPN breaks PS Remoting.


  • I've encountered an issue while setting up an Enterprise CA w/NDES on a Windows 2012 DC (all roles deployed on a single system).

    • Before configuring NDES, I've run "Enable-PSRemoting" on an Admin PS (logged as DC Admin), and I've answered Y to all the questions.

    Then I've followed the instructions published at the following address to configure the Ndes Account Service:

    More specifically, after executing the following step:

    setspn -s http/ cpandl\NdesService

    I noticed that launching the following (firewall OFF & NLA Domain Profile):

    enter-pssession localhost

    I received the following error:

    Enter-PSSession : Connecting to remote server localhost failed with the following message : WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Negotiate authentication: An unknown security error occurred.

    BUT, if I remove the NdesService SPN...

    setspn -D http/ cpandl\NdesService

    PS Remoting works again.

    Further testing reveals that when I manually run:

    setspn -s http/ cpandl\NdesService

    setspn -s WSMAN/ CA1

    setspn -s WSMAN/CA1 CA1


    enter-pssession localhost

    successfully logs me in.

    • Unfortunately, after a CA1 Reboot (even if the WSMAN SPNs are present - confirmed by launching "setspn -l CA1"), PS Remoting doesn't work.

    Anyone able to shed some light re the following (unwanted) behaviour?

    Saturday, March 02, 2013 11:49 AM


All replies