0

My domain does not have a SPN for CIFS/mydomain.com. My DC is throwing ErrorCode: KDC_ERR_S_PRINCIPAL_UNKNOWN. There are a number of windows workstations on the domain that are trying to use this SPN.

setspn -a cifs/corp.com.au corp.com.au FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525 Unable to locate account corp.com.au

What problems would this cause? Should this SPN be there by default?

Ablue
  • 1,140
  • 1
  • 12
  • 32

1 Answers1

1

I was unaware such and SPN existed... so I checked... My domain has no such SPN, and I'm not having the problem you described either


C:>setspn -L mydomain.com
FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525
Could not find account mydomain.com
The command you posted attempts to ADD a new SPN. But with only the domain name, you are not providing an account name to add the SPN to. Perhaps you could tell us more about the error on the workstations. What is the full text of the error? what event number is it?
Clayton
  • 4,483
  • 16
  • 24
  • That is the full text of the error. According to http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx the account name can be the domain name for services that are used domain wide. – Ablue Aug 13 '12 at 23:18
  • I imagine that accessing //mydomain.com/netlogon using kerberos would require cifs/mydomain.com SPN; but without it the negotiate service will fallback to NTLM. – Ablue Aug 13 '12 at 23:20
  • Thats a rather long article, and I can't find a section that talks about the domain itself having a SPN. It DOES talk about each DC having it's own SPN. When you browse \\mydomain.com\netlogon, you're getting a DFS referral to a specific DC, and it's probably then that the SPN comes into play. What does SETSPN -L say for each DC you have? What OS are these DC's? Are you getting event 11 from here http://support.microsoft.com/kb/321044 ? Are you getting event 1645 from here http://support.microsoft.com/kb/308111 ? – Clayton Aug 14 '12 at 13:56