Wednesday, 4 September 2019

SCCM - Secondary Site Unable to Contact MP or DP

SCCM - Secondary Site Unable to Contact MP or DP

Recently we deployed few secondary site , Management point and Distribution point are working fine, but clients unable to receive policy from MP.

No error on mpcontrol.log 

And found some kerberos error on event logs

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
Event ID:      4
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      SCSMDW.wsdemo.com
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server smsvc. The target name used was MSOMSdkSvc/SCSMDW. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server

After investigating, it turned out to be the Service Principal Name (SPN) that caused the issue. And I quickly saw why. The issue was that the SPN’s was created on the wrong Domain Service Account. If you are running the SQL Service (MSSQLSvc) with local computers system account, the SPN’s are registered automatically and you should not see these types of errors. But if you are running the SQL Service (MSSQLSvc) account with a domain account, then you have to do this manually

So you need to run the below command to register SPN manually

To delete existing SPNs from wrong service account:

setspn -D MSSQLSvc/<SQL Server computer name>:1433 <Domain\Account>
setspn -D MSSQLSvc/<SQL Server FQDN>:1433 <Domain\Account>

 To add new SPNs the correct service account:

setspn -A MSSQLSvc/<SQL Server computer name>:1433 <Domain\Account>
setspn -A MSSQLSvc/<SQL Server FQDN>:1433 <Domain\Account>  

No comments:

Post a Comment

SCCM SQL Query Online device by Management Point

 SCCM SQL Query Online device by Management Point select srl.SiteCode, srl.ServerName, srl.InternetEnabled, srl.Shared, srl.SslState, SUM(br...