cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AD/Kerberos on Windows 2008 Server

Go to solution
Former Member

on ‎12-09-2010 4:28 PM

0 Kudos

Has anyone run ktpass out of the 64-bit directory (c:\windows\system32) successfully and if so, did you have UAC on or off?

The reason I ask is I am getting:

Targeting domain controller: blacklocust03.bobsautoparts.com

Using legacy password setting method

Failed to set property 'servicePrincipalName' to 'CRSSO/crystal_user.bobsautoparts.com' on Dn 'CN=Crystal Service,OU=Service Accounts,DC=bobsautoparts,DC=com': 0x32

.

WARNING: Unable to set SPN mapping data.

If crystal_user already has an SPN mapping installed for CRSSO/crystal_user.bobsautoparts.com, this is no cause for concern.

Aborted.

I googled and ran into this post: http://www.chaj.com/post/5312657/uac-and-ktpass-exe and I am trying to figure out my issue.

Perry Hoekstra

Edited by: Perry Hoekstra on Dec 9, 2010 9:32 PM

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Advisor
Advisor
‎12-09-2010 11:53 PM
0 Kudos

I'm pretty sure you can ignore that error run setspn - L serviceaccount and see if the SPN is set?

If not then it's really a Microsoft issue. I was able to run it on my 2008 SP2 64 bit, and I don't recall any issues. I did have UAT turned off.

Regards,

Tim

Show replies
Show replies
Former Member
‎12-10-2010 12:38 PM
0 Kudos

The underlying reason was Microsoft. Even though I had administration rights on the box, I did not have the necessary rights on the Domain Controller. As usual, the error message and code were less than illuminating which causes you to thrash around trying to figure out why all the parts don't mesh.

Perry Hoekstra

Former Member
‎12-10-2010 1:43 PM
0 Kudos

Considering that for Windows 2008 server, many of the management consoles used to manage Windows Server 2008 have been updated or completely redesigned, how do you "Verify the account UPN" and "Trust this user for delegation to any service (Kerberos only)"? I am referring to page 6/7 of your Configuring Vintella SSO in Distributed Environments document.

BasicTek
Advisor
Advisor
‎12-10-2010 2:09 PM
0 Kudos

You have to install RSAT on the 2008 server, most of the info can be seen with windows sysinternals ADexplorer (free download form microsoft)

Regards,

Tim

Answers (1)

Answers (1)

former_member207736
Explorer
‎05-16-2012 12:47 PM
0 Kudos

Hi Perry

If it is Windows 2008, then open the command prompt as Administrator and then execute your ktpass command.

Show replies
Show replies
Ask a Question