none
while executing the ktpass command warning Unable to set SPN mapping data appeared

    Question

  • Hi All,

    while executing the ktpass command from administrator command prompt on windows server machine:
    C:\Users\Administrator>ktpass -princ host/<hostname>@<active directory domain> -mapuser <domain name>\TestU1 -pass * -crypto AES128-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\KeyTab\TestAES128.keytab

    below warning message appeared:

    Failed to set property 'servicePrincipalName' to 'host/<host name>' on
    Dn 'CN=<CN Name>,CN=Users,DC=<DC Name>,DC=<DC Name>,DC=com': 0x13.
    WARNING: Unable to set SPN mapping data.
    If <user name> already has an SPN mapping installed for host/<host name>, this is no cause for concern.
    Key created.

    it is confirmed that no other user in the AD DC is configured with same host/<hostname>

    please suggest how to resolve above warning.

    Thanks

    Friday, January 20, 2017 2:15 PM

Answers

  • Hi,
    Please check whether the UAC is enabled on the server which you run the command on, if yes, please have a try to take that same command and run it on the same server after disabling UAC and rebooting server, then see if the warning is gone.
    In addition, please make sure that the account which is used to run the command is from a member of Domain Admins, Schema Admins, Enterprise Admins, and the built-in Administrators group.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 23, 2017 5:31 AM
    Moderator

All replies

  • I've seen this kind of error before.  Looking at your command syntax, I see that you are mapping the user incorrectly.  Let's say your Active Directory domain name is DEV.LOCAL.  In your example, you are using the syntax -mapuser DEV.LOCAL\TestU1, when it should be in the form of -mapUser TestU1@DEV.LOCAL.  See my write-up on Keytabs here, which should help you:  Kerberos Keytabs – Explained

    EDIT:  Please walk through the web link I provided, and as mentioned by Wendy, the article describes that UAC must be at least temporarily disabled, and user creating the keytab must be a member of the Domain Admins, Schema Admins, Enterprise Admins, and the built-in Administrators group.


    Best Regards, Todd Heron | Active Directory Consultant


    • Edited by Todd Heron Monday, January 23, 2017 12:38 PM Added additional information to OP as documented in cited TechNet article
    • Proposed as answer by netbel Monday, January 23, 2017 9:40 PM
    Friday, January 20, 2017 2:51 PM
  • Hi,
    Please check whether the UAC is enabled on the server which you run the command on, if yes, please have a try to take that same command and run it on the same server after disabling UAC and rebooting server, then see if the warning is gone.
    In addition, please make sure that the account which is used to run the command is from a member of Domain Admins, Schema Admins, Enterprise Admins, and the built-in Administrators group.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 23, 2017 5:31 AM
    Moderator
  • Hi,

    We are facing similar issue other than it is saying 'failed to set 'userprincipalName' on user ...'

    UAC is disabled, and also the user account is a member of domain admins group. Attached a command snap.

    Will manually setting userprincipalname work in this case ?

    Thursday, March 1, 2018 8:42 AM
  • Hi,

    Can someone please help me on above. Even after setting userprincipalName manually SSO didn't work.



    Thursday, May 3, 2018 6:14 AM
  • I've seen this kind of error before.  Looking at your command syntax, I see that you are mapping the user incorrectly.  Let's say your Active Directory domain name is DEV.LOCAL.  In your example, you are using the syntax -mapuser DEV.LOCAL\TestU1, when it should be in the form of -mapUser TestU1@DEV.LOCAL.  

    This isn't correct Todd. I just executed the command "ktpass -princ HTTP/my.domain@DOMAIN -mapuser DOMAIN\user -out user.keytab -pass * -ptype KRB5_NT_PRINCIPAL -crypto ALL -mapOp set" and it worked (no errors and produced a keytab file on Windows Server 2016), so I'm not sure what you mean. 

    The only issue is that the OP isn't running the command in an administrative prompt to bypass the UAC protections. 


    Wednesday, August 8, 2018 3:31 PM
  • Hi All,

    Thanks for your support.

    Above problem is due to principal name "host/<hostname>@<active directory " is mapped with another domain user in the same domain due to that while trying to map it with the current user is cause problem.

    to confirm the principal mapping below command can be used:

    setspn -Q host/<principal name>

    to delete the mapping below command can be used:

    setspn -d host/<principal name> <user name>

    after removing the mapping, while executing the KTPASS command it becomes successful.

    Thank You

    Monday, August 20, 2018 4:24 AM
  • todd's answer was correct and fixed it in my case.
    Friday, August 24, 2018 3:04 AM