I'm setting up a Windows lab environment. It has a Win2012R2 domain controller (srv001) and I'd like to add another Win2012R2 server to the domain (srv003). Actually, all goes well. I gave the new server a static IP address in the same subnet as the DC, pointed it to the right DNS server and added the server to the domain.
However, when I add the new server to Server Manager, I get a Kerberos error: 0x80090322. I has quite a long error message that I'll post below. I did some testing and found out that I'm actually able to setup a remote Powershell session to the server using Kerberos authentication:
$s = New-PSSession -ComputerName srv003 -Authentication Kerberos
$s | Enter-PSSession
No problems here. I ran Enable-PSRemoting
on the remote server, no problems there as well.
Why doesn't Server Manager like my new server? Especially since it's possible to set up a remote Powershell using the same protocol Server Manager is complaining about.
The error message that belongs to error code 0x80090322:
Configuration refresh failed with the following error: The metadata failed to be retrieved from the server, due to the following error: WinRM cannot process the request. The following error with errorcode 0x80090322 occurred while using Kerberos authentication: An unknown security error occurred. Possible causes are:
- The user name or password specified are invalid.
- Kerberos is used when no authentication method and no user name are specified.
- Kerberos accepts domain user names, but not local user names.
- The Service Principal Name (SPN) for the remote computer name and port does not exist.
- The client and remote computers are in different domains and there is no trust between the two domains.
After checking for the above issues, try the following:
- Check the Event Viewer for events related to authentication.
- Change the authentication method; add the destination computer to the WinRM TrustedHosts configuration setting or use HTTPS transport. Note that computers in the TrustedHosts list might not be authenticated.
- For more information about WinRM configuration, run the following command: winrm help config.
To refer back to the numbered items in the error message:
- I use a domain admin account to do this.
- Not sure how to change this in Server Manager so I suppose the default should do it.
- I'm running inside the domain, starting Server Manager as a domain admin.
- The server actually has the following SPN's which I haven't touched:
- Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/srv003.rwwilden01.local
- TERMSRV/SRV003
- TERMSRV/srv003.rwwilden01.local
- WSMAN/srv003
- WSMAN/srv003.rwwilden01.local
- RestrictedKrbHost/SRV003
- HOST/SRV003
- RestrictedKrbHost/srv003.rwwilden01.local
- HOST/srv003.rwwilden01.local
- Both computers are in the same domain.
- No events on the client machine.
- It shouldn't be necessary to do this.