8

On a Windown Server 2008 Domain Controller, I'm attempting to add a Service Principal Name (SPN) to a user account 'Postmaster' in order to enable Kerberos authentication from a Communigate email server. The command line I'm using is of the form:

setspn -a imap/email-domain.com windows-domain\postmaster

When I run this command, I get the result:

Registering ServicePrincipalNames for CN=Postmaster,OU=Users,DC=windows-domain,DC=com
    imap/email-domain.com
Failed to assign SPN on account 'CN=Postmaster,OU=Users,DC=windows-domain,DC=com', error 0x2098/8344 ->
Insufficient access rights to perform the operation.

This is most curious, since I am logged in as a user in the group Domain Admins. I checked effective privileges for this account, and I can't see any that are not included. I also tried a different administrator account, with the same result.

Just to rule it out, I also added the user Postmaster to Domain Admins, but no change to the result.

I am running this command directly on the Domain Controller instance. I am able to query SPNs with no difficulty, I just can't seem to write them.

I also attempted to use ktpass to indirectly set the SPN on the desired user, but received a warning:

WARNING: Unable to set SPN mapping data.

...which I assume is a symptom of the same insufficient access problem.

What could be causing this error?

kbluck
  • 205
  • 1
  • 3
  • 8

1 Answers1

10

Are you running from an elevated command prompt (right-click, Run as Administrator)? If not, that would explain the error.

K. Brian Kelley
  • 9,004
  • 31
  • 33
  • Thanks. I was running plain old cmd.exe. Running Powershell as Administrator did indeed work. – kbluck Nov 25 '09 at 16:35
  • 1
    The root cause of the issue is User Access Control, according to Scott Lowe. http://blog.scottlowe.org/2007/07/09/uac-and-ktpassexe/ – kbluck Nov 25 '09 at 20:38
  • 2
    Yes, this will bite you in Vista/Windows 7 as well. And it'll hit for things you may not think about, like the use of ipconfig to do anything other than list the IP configuration. – K. Brian Kelley Nov 25 '09 at 23:16