System Center Operations Manager SDK service failed to register an SPN
Have you seen this event in your RMS OpsMgr event logs?
Event Type: Warning
Event Source: OpsMgr SDK Service
Event Category: None
Event ID: 26371
Date: 12/13/2007
Time: 2:58:24 PM
User: N/A
Computer: RMSCOMPUTER
Description:
The System Center Operations Manager SDK service failed to register an SPN. A domain admin needs to add MSOMSdkSvc/rmscomputer and MSOMSdkSvc/rmscomputer.domain.com to the servicePrincipalName of DOMAIN\sdkaccount
This is a bug. The alert is almost always erroneous. Here is why:
Every time the SDK service starts, it tries to update the SPN’s on the AD account that the SDK service runs under. It fails, because by default, a user cannot update its own SPNs. Therefore we see this error logged.
If the SDK account is a domain admin – it does not fail – because a domain admin would have the necessary rights. Obviously – we don’t want the SDK account being a domain admin…. That isn’t required nor is it a best practice.
One way to resolve this error, is to allow allow the SDK service account rights to update the SPN. The easiest way, is to go to the user account object for the SDK account in AD – and grant SELF to have full control.
A better, more granular way – is to only grant SELF the right of modifying the SPN:
-
Run ADSIEdit as a domain admin.
-
Find the SDK domain account, right click, properties.
-
Select the Security tab, click Advanced.
-
Click Add. Type “SELF” in the object box. Click OK.
-
Select the Properties Tab.
-
Scroll down and check the “Allow” box for “Read servicePrincipalName” and “Write servicePrincipalName”
-
Click OK. Click OK. Click OK.
- Restart your SDK service – if AD has replicated from where you made the change – all should be resolved.
Or, just manually set the SPN, and disable this alert rule, which will throw alerts even when the SPN’s are set correctly.
To check SPN’s:
The following command will show all the HealthService SPN’s in the domain:
Ldifde -f c:\ldifde.txt -t 3268 -d DC=DOMAIN,DC=COM -r “(serviceprincipalname=MSOMHSvc/*)” -l serviceprincipalname -p subtree
To view SPN’s for a specific server:
“setspn -L servername”