none
SPN not registered RRS feed

  • Question

  • Hi, I am getting the below error for fresh SCOM2012R2 installation:

    The service principal name (SPN) for the "System Center Data Access" service may
    have failed to register. The "System Center Data Access" service must register
    SPNs for the Operations console and other SDK clients to authenticate using
    Kerberos.

    Though I have added sdk account for SPN as below:

    C:\Users\xxxx>setspn -L scom001
    Registered ServicePrincipalNames for CN=SCOM001,OU=Servers,OU=_GlobalResour
    ces,OU=aaa,DC=bbb,DC=ccc,DC=net:
            MSOMSdkSvc/scom001.net
            MSOMSdkSvc/SCOM001
            MSOMHSvc/SCOM001
            MSOMHSvc/SCOM001.net
            WSMAN/SCOM001
            WSMAN/SCOM001.net
            TERMSRV/SCOM001.net
            RestrictedKrbHost/SCOM001.net
            HOST/SCOM001.net
            TERMSRV/SCOM001
            RestrictedKrbHost/SCOM001
            HOST/SCOM001

    However I am still getting the same error. And probably because of it while installing reporter server it is not able to connect to management server. Please let me know where am I going wrong or missing anything.

    Monday, November 16, 2015 2:46 PM

Answers

All replies

  • Hi,

    when you check the SPNs, you have to check them against the service account, not the computer account of the SCOM server:

    setspn -L DOMAIN\sdkdomainuseraccount

    For example, if you have a service account for the SDK service, which si named scomsdk, your SPN check should look like this:

    setspn -L NetBIOSDomainName\scomsdk

    This should give you an output similar to this:

    Registered ServicePrincipalNames for CN=ServiceAccount,OU=Account,OU=_GlobalResour
    ces,OU=aaa,DC=bbb,DC=ccc,DC=net

     MSOMSdkSvc/SCOM001
     MSOMSdkSvc/SCOM001.domain.net

    Please take a look at the following article (it is the one, which best described the procedure and gives nice examples), delete the SPNs you've created on the computer (you must have only the SPNs for the HealthService - MSOMHSvc) and set them as described in the article:

    OpsMgr 2012: What should the SPN’s look like?

    If you are doing this on Windows Server 2012 R2 please use -A option instead of -S.

    This should do the job.


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)


    Monday, November 16, 2015 5:00 PM
    Moderator
  • Yes, did that. However still getting same error and Reporter server unable to contact Management server:

    C:\Users\xxxx>setspn -L Domain\scomda
    Registered ServicePrincipalNames for CN=SCOMDA,OU=UsersAdministrative,OU=
    _GlobalResources,OU=bbb,DC=ccc,DC=ddd,DC=net:
            MSOMSdkSvc/SCOM001
            MSOMSdkSvc/SCOM001.net

    Error while installing Reporter server:

    Unable to connect to the Data Access service for this management server. Ensure the Data Access service is running and that the service, the management group, and setup are all the same version.

    Monday, November 16, 2015 5:34 PM
  • Hi,

    a few things to check:

    - Make sure the SPNs on the SCOM computer account have been removed.
    - Make sure that port 5724 is opened between the Reporting Server and the Management Server. It can be closed after the installation.

    Firewall requirements

    - Make sure your collation settings are set properly
    - Is the SDK service running on the management server?

    Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)

    Monday, November 16, 2015 8:03 PM
    Moderator
  • I think you will continue to get this error - this is a failed to register error which occurs if the SDK account is not a domain admin. And lets face it, it should NOT be a domain admin.

    As long as the listing is correct then you are good to go.

    However, I'm not sure that you have configured correctly. Are you sure you have set the SPN on the SDK account and not on the computer account. In your post, you state:

    C:\Users\xxxx>setspn -L scom001
    Registered ServicePrincipalNames for CN=SCOM001,OU=Servers,OU=_GlobalResour
    ces,OU=aaa,DC=bbb,DC=ccc,DC=net:
            MSOMSdkSvc/scom001.net
            MSOMSdkSvc/SCOM001

    Are you sure this is correct? You have scom001 as your SDK account?? setspn -L DOMAIN\sdkdomainuseraccount

    Regards

    Graham


    http://blogs.technet.com/b/manageabilityguys/

    Monday, November 16, 2015 8:37 PM
    Moderator
  • Hi Graham,

    I think the second output looks fine, or am I wrong?

    "C:\Users\xxxx>setspn -L Domain\scomda
    Registered ServicePrincipalNames for CN=SCOMDA,OU=UsersAdministrative,OU=
    _GlobalResources,OU=bbb,DC=ccc,DC=ddd,DC=net:
            MSOMSdkSvc/SCOM001
            MSOMSdkSvc/SCOM001.net "

    This output shows the SPNs registered for the account (assuming scomda is the SDK account) and listed for the SCOM MS (SCOM001).

    About the SPN alert, you are right. It will never go away if the account is not domain admin (or has the right to update its SPNs), but it should be logged only if the service has been restarted.

    Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)




    Tuesday, November 17, 2015 8:58 AM
    Moderator
  • I did configured it on DA account and can also telnet thru port between MS and reporter server. Still getting the same issue while installing Reporter server. Any other check I have to look for?
     Also SDK Service is running fine on MS
    Tuesday, November 17, 2015 10:02 AM
  • Hi Stoyan

    No - you are correct - I missed that posting and was referencing the first one.

    The link you give is the best one I know.

    Regards

    Graham


    http://blogs.technet.com/b/manageabilityguys/

    Tuesday, November 17, 2015 1:32 PM
    Moderator
  • Hi,

    I found a couple of interesting posts o the topic:

    SCOM 2012 R2: Unable to connect to the Data Access service for this management server
    Here the cause was that the SDK service account was missing logon rights.

    OpsMgr 2012 SP1: Reporting Installation Error: Unable to connect to the Data Access Service for this Management ServerHere the casue was DNS resolution.

    Unable to connect to the Data Access service for this management server
    And here you can get a number of ideas what to check and what could lead to such error.

    Hope this helps. Regards,


    Stoyan (Please take a moment to "Vote as Helpful" and/or "Mark as Answer" where applicable. This helps the community, keeps the forums tidy, and recognizes useful contributions. Thanks!)

    Wednesday, November 18, 2015 9:53 AM
    Moderator