-
Titre
How to move the Service Principal Name (SPN) from Computer Object to a Domain User -
Description
By default, the Change Auditor Coordinator service runs as "Local System". Administrators may want to run the ChangeAuditor service as a Domain User or service account instead of "Local System".
The Change Auditor Service Principal Name (SPN) needs to be moved in Active Directory if the account used to run the Change Auditor Coordinator account is changed. If the SPN is not moved, the Change Auditor agents will not be able to connect to Change Auditor Coordinator and the following Warnings will be recorded:
Change Auditor Agent Log:
2015-11-23 10:23:23.125 [16976][WARN][RepositoryLoadBalance::_connectProtocol(685)] Connection attempt (NPRepository4(DEFAULT)/CA.test.com) failed. NetProLib::Protocol::CConnection::InitiateAuthentication - Unable to authenticate to SPN: NPRepository4(DEFAULT)/CA.test.com Msg: NetProLib::Sspi::ClientContext::Initialize - The target principal name is incorrect.. Connection: 0000000004623650
-
Résolution
Perform the following from a Command prompt on a Domain Controller or any machine with the AD tools installed:
- To remove the SPN off the computer object:
setspn -D NPRepository4(DEFAULT)/SERVER.DOMAIN.TLD SERVERNAME
- To add the SPN to the service account:
setspn -A NPRepository4(DEFAULT)/SERVER.DOMAIN.TLD USERNAME
SERVER.DOMAIN.TLD = FQDN of the coordinator server
SERVERNAME = Short name of the coordinator server
USERNAME = SAM account name of the service account- Update the Quest ChangeAuditor Coordinator service to run under the username context in question.
- Restart the Coordinator service.