SCCM - Secondary Site Unable to Contact MP or DP
Recently we deployed few secondary site , Management point and Distribution point are working fine, but clients unable to receive policy from MP.
No error on mpcontrol.log
And found some kerberos error on event logs
Source: Microsoft-Windows-Security-Kerberos
Event ID: 4
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: SCSMDW.wsdemo.com
Description:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server smsvc. The target name used was MSOMSdkSvc/SCSMDW. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server
After investigating, it turned out to be the Service Principal Name (SPN) that caused the issue. And I quickly saw why. The issue was that the SPN’s was created on the wrong Domain Service Account. If you are running the SQL Service (MSSQLSvc) with local computers system account, the SPN’s are registered automatically and you should not see these types of errors. But if you are running the SQL Service (MSSQLSvc) account with a domain account, then you have to do this manually
So you need to run the below command to register SPN manually
To delete existing SPNs from wrong service account:
setspn -D MSSQLSvc/<SQL Server computer name>:1433 <Domain\Account>
setspn -D MSSQLSvc/<SQL Server FQDN>:1433 <Domain\Account>
To add new SPNs the correct service account:
setspn -A MSSQLSvc/<SQL Server computer name>:1433 <Domain\Account>
setspn -A MSSQLSvc/<SQL Server FQDN>:1433 <Domain\Account>
No comments:
Post a Comment