When the GPOAdmin service is set to run as an account from a different domain, trying to login to the GPOAdmin client may fail with an error such as:
"The server has rejected the client credential”
Reviewing the GPOAdmin event log shows the following error:
"Error updating service principal name"
Due to the service account running under the context of an account from a different domain, the GPOAdmin server is not able to write the Service Principal Name (SPN) for the service account which is needed for Kerberos authentication.
This issue affects only GPOAdmin 5.13 and later.
You can use the following commands to manually update the service principal name on the service account:
To query for the SPN:
SETSPN -T <DomainFQDN> -Q "GPOADmin/GPOADminService/<DomainFQDN>"
To remove the SPN:
SETSPN -D "GPOADmin/GPOADminService/<DomainFQDN>" ACCOUNT_FROM_QUERY_ABOVE
To set the SPN:
SETSPN -U -S "GPOADmin/GPOADminService/<DomainFQDN>" "<Domain>\<GPOAdminServiceAccount>"
If you wish to prevent the service from updating the SPN, add the following to the registry of the GPOADmin Server if it does not exist:
- Value path: HKEY_LOCAL_MACHINE\SOFTWARE\Quest\GPOADmin\ServerConfig
- Value name: UpdateSPN
- Value type: DWORD
- Value: 0
Remove the value or set it to 1 to allow the service to update the SPN.
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center