SCSM 2012 use the Kerberos protocol to authenticate clients and servers and encrypt data inside of communication channel. The of main concept of the Kerberos protocol regarding Windows services is a Service Principal Names (SPN) records. If your SPN records absent or configured for wrong account\service name then you can except what some function will be work with issues or doesn’t work at all.
Regarding to SCSM the misconfiguration of the SPN records can affect:
- Active Directory connector. It will run but nothing happened after that.
- DW process. Data from ServiceManager DB will not import to DW DB
- High memory consumption by SCSM’s services
and few other issues.
Also as result of misconfiguration of the SPN records can be event like this:
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 01.10.2012 14:10:04
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: scsm12.syscenter.local
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server SCSMService. The target name used was MSOMSdkSvc/scsm12.syscenter.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (SYSCENTER.LOCAL) is different from the client domain (SYSCENTER.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Which SPN records used by SCSM 2012?
The SCSM 2012 use the SPN with he service class “MSOMSdkSvc”. SPN must be registered to service account (or run as account for System Center Data Access Service).
There is a two options can exist. First if your service account is Local System (this is extremely bad idea). In this case the SPN record must be registered to account of the SCSM server(s). This account named as server name with $ sign at the end (SERVER$).
Second option if your service account is a domain account. In this case SPN record must be registered to this domain account
When I should configure the SPN records for SCSM 2012?
Always. The bad news is what during setup process SPN records aren’t registered even if your setup account have permission to do that. Instead of this the SDK service(System Center Data Access Service) check the SPN records each time when it started. And trying to create SPN records if they doesn’t exist. But by default only domain administrators can modify the SPN records and your SCSM’s service account must never have this rights. The second issue is a bug inside of SCSM itself. It always try to register SPN records for server’s account even if SDK service running under domain account. You can find events like this in Operations Manager log each time when SDK service stared:
Log Name: Operations Manager
Source: OpsMgr SDK Service
Date: 04.11.2012 13:07:26
Event ID: 26371
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: scsm.syscenter.local
Description:
The System Center Data Access service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/scsm and MSOMSdkSvc/scsm.syscenter.local to the servicePrincipalName of CN=SCSM,OU=SCSM,OU=ServiceAccount,DC=syscenter,DC=local
In my case the SCSM is a server and my SDK service running under SCSMService domain account.
So even if you grant permissions for service account to modify the SPN records the wrong SPN records will be created.
How to check SPN records for SCSM 2012
To check SPN records you must run next commands:
setspn –L YOURDOMAIN\SCSMSERVER$
setspn –L YOURDOMAIN\ServiceAccount
where SCSMSERVER$ is a server account of your management server. First command must be repeated for all of your management servers (and DW too).
To check the result of the each command see in table below.
Command | Service Account is Local System | Service Account is Domain account |
setspn –L YOURDOMAIN\SCSMSERVER$ | The result must contains two strings: MSOMSdkSvc/SCSMSERVER |
The result must NOT contains any strings with
MSOMSdkSvc class |
setspn –L YOURDOMAIN\ServiceAccount |
– |
The result must contains two strings: MSOMSdkSvc/SCSMSERVER |
Here is example of the right result of setpsn -L for my test environment:
I have a two SCSM servers named SCSM12 and SCSM. Both of them use SCSMService account as service account.
Another issue can be a duplicated SPN records. To check this run command
setspn -X
How to add SPN records
If your service account is Local System:
setspn –A MSOMSdkSvc/SCSMSERVER YOURDOMAIN\SCSMSERVER$
setspn –A MSOMSdkSvc/SCSMSERVER.fqdn.name YOURDOMAIN\SCSMSERVER$
If your service account is domain account:
setspn –A MSOMSdkSvc/SCSMSERVER YOURDOMAIN\ServiceAccount
setspn –A MSOMSdkSvc/SCSMSERVER.fqdn.name YOURDOMAIN\ServiceAccount
You must repeat this commands for each of your management servers (DW too).
Also you must restart SDK Service to take effect.
How to remove wrong SPN records
setspn –D MSOMSdkSvc/SCSMSERVER YOURDOMAIN\SCSMSERVER$
setspn –D MSOMSdkSvc/SCSMSERVER.fqdn.name YOURDOMAIN\SCSMSERVER$
Appendix. Active Directory configuration for Kerberos delegation.
The second of main concepts of the Kerberos protocol is a delegation. Kerberos Delegation is a feature that allows an application to reuse the end-user credentials to access recourses hosted on a different server. SCSM use the delegation so it must be properly configured.
Delegation requirements is:
Active Directory domain and forest level must be “Windows Server 2003” or above
Server must be trusted for delegation
For service account must not be turn on option “Account is sensitive and cannot be delegated”.
To check your forest level you must run the “Active Directory Domains and Trusts” snapin, select root of the tree, call the context menu and press “Raise Forest Functional Level…”:
Here you can find level of your forest:
To check your domain level you must run the “Active Directory Users and Computers” snapin, select your domain, call the context menu and press “Raise domain Functional level…”:
Here you can find level of your domain:
To check “trusted for delegation” option find your server in “Active Directory Users and Computers” snapin and open Properties. On Delegation tab must be selected option “Trust this computer tor delegation to any service (Kerberos only)”:
To check the service account option find your account in “Active Directory Users and Computers” snapin and open Properties. On Account tab find the “Account is sensitive and cannot be delegated” and check what it NOT enabled.
12 Comments
How about when you also use SCOM 2012?
Here is answer from Kevin: http://blogs.technet.com/b/kevinholman/archive/2011/08/08/opsmgr-2012-what-should-the-spn-s-look-like.aspx
Any thought on how the SPNs should be setup for a hardware load balanced environment?
Here is excellent article from Marcel regarding NLB configuration. SPN too.
I need to rename my SCSM 2012 server. I tried that but then the service does not start anymore. Could this be related to the need of creation new SPNs or is there something more necessary?
Thanks.
As far as I know there is no supported way to rename SCSM server in-place.
Hi FreemanRu! Nice article!
Do you have any recommendations regarding the portal itself? should I configure the SPN records for it too?
Like HTTP/server
I was thinking that maybe that may be causing an issue that I’m having (and sorry if you think it’s not related):
I have the well-known “blank page” issue on the portal (for the web parts) only for users that are not using VPN (the portal is on 444 and content server on 443, on the same server, using a single cert).
I can telnet both ports without connecting to the VPN, although if I try accessing the Settings.xml page it’s not working. But if you connect to the VPN access the same page, and then disconnect, the web parts work fine.
Also, without connecting to the VPN, if I try the Settings.xml page from Chrome, it challenges me for user and password, and then it accesses the page, so it’s only happening with IE, so it has to be something related to authentication.
I’ve checked everything (web.config is fine, the url on the app settings is fine, cert is fine), I’m out of ideas… If you have any or think this may be related to the SPN records, please let me know!
Thanks!
Hello. Great Article. Although I have a quick question to help clarify a few things for myself. I have SCOM 2012, and am building SCSM 2012. The system center data access service for both products runs with its own domain service account. However, the SPN for MSOMHSvc/* currently all point to the SCOM server name.
If I understand correctly, I should delete the MSOMHSvc SPNs that point to the server name and create new SPNs for SCSM and SCOM service accounts?
setspn –A MSOMSdkSvc/SCSMSERVER YOURDOMAIN\SCSMServiceAccount
setspn –A MSOMSdkSvc/SCSMSERVER.fqdn.name YOURDOMAIN\SCSMServiceAccount
And then create new SPNs for SCOM
setspn –A MSOMSdkSvc/SCOMSERVER YOURDOMAIN\SCOMServiceAccount
setspn –A MSOMSdkSvc/SCOMSERVER.fqdn.name YOURDOMAIN\SCOMServiceAccount
Thanks
Looks like correct
Dont copy/paste the commands, instead, type them in
[…] the specified Service Account does (hopefully) not have administrative permissions. Refer to Configure the Kerberos for SCSM 2012 (SPN and delegation) published by Anton Gritsenko for more detailed information about Service Manager and SPN’s. […]
[…] Principal Names) for Service Manager as we already did for our primary management server. Refer to Configure the Kerberos for SCSM 2012 (SPN and delegation) published by Anton Gritsenko for more detailed information about Service Manager and SPN’s. […]