On a Windown Server 2008 Domain Controller, I'm attempting to add a Service Principal Name (SPN) to a user account 'Postmaster' in order to enable Kerberos authentication from a Communigate email server. The command line I'm using is of the form:
setspn -a imap/email-domain.com windows-domain\postmaster
When I run this command, I get the result:
Registering ServicePrincipalNames for CN=Postmaster,OU=Users,DC=windows-domain,DC=com
imap/email-domain.com
Failed to assign SPN on account 'CN=Postmaster,OU=Users,DC=windows-domain,DC=com', error 0x2098/8344 ->
Insufficient access rights to perform the operation.
This is most curious, since I am logged in as a user in the group Domain Admins. I checked effective privileges for this account, and I can't see any that are not included. I also tried a different administrator account, with the same result.
Just to rule it out, I also added the user Postmaster to Domain Admins, but no change to the result.
I am running this command directly on the Domain Controller instance. I am able to query SPNs with no difficulty, I just can't seem to write them.
I also attempted to use ktpass to indirectly set the SPN on the desired user, but received a warning:
WARNING: Unable to set SPN mapping data.
...which I assume is a symptom of the same insufficient access problem.
What could be causing this error?