Microsoft KB Archive/924177

From BetaArchive Wiki
Knowledge Base


The Setspn.exe tool incorrectly adds the dollar sign to the host name when you reset a service principal name in Active Directory in Windows Server 2003

Article ID: 924177

Article Last Modified on 10/11/2007


APPLIES TO

  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Standard x64 Edition


SYMPTOMS

When you run the Setspn.exe -R servername command to reset a service principal name (SPN) for a computer account in the Active Directory directory service, the following results appear at the command prompt: 

Registering ServicePrincipalNames for CN=<serverName>,CN=Computers,DC=example,DC=com
        HOST/<serverName>$.EXAMPLE
        HOST/<serverName>$
Updated object

In these results, the Setspn.exe tool incorrectly adds the dollar sign ($) to the host name. The results should appear as follows: 

Registering ServicePrincipalNames for CN=<serverName>,CN=Computers,DC=example,DC=com
        HOST/<serverName>.EXAMPLE
        HOST/<serverName>
Updated object

Therefore, the SPN is configured incorrectly.

Note The Setspn.exe tool is included with the Microsoft Windows Server 2003 Support Tools. To install the Windows Support Tools, double-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD.

CAUSE

This problem occurs because a function that the Setspn.exe tool uses returns the name of the computer together with a dollar sign character (also known as a string). The Setspn.exe tool incorrectly adds this string to the computer name.

WORKAROUND

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

To work around this problem, modify the servicePrincipalName attribute in Active Directory. To do this, follow these steps:

  1. Start the ADSI Edit tool. To do this, click Start, click Run, type adsiedit.msc, and then click OK.


Note The ADSI Edit tool is included with the Windows Server 2003 Support Tools.

  1. Connect to a domain controller if ADSI Edit is not already connected to a domain controller.
  2. Expand Domain [domainControllerName.example.com], expand DC=example,DC=com, and then expand CN=Computers.


Note If the computer for which you want to modify the SPN is located in a different container, modify this path as appropriate.

  1. Right-click CN=serverName, and then click Properties.
  2. On the Attribute Editor tab, click to select both the following check boxes:
    • Show mandatory attributes
    • Show optional attributes
  3. In the Attributes list, click servicePrincipalName, and then click Edit.
  4. In the Multi-valued String Editor dialog box, click HOST/serverName$, and then click Remove. This value appears in the Value to add box.
  5. Modify the entry in the Value to add box to remove the dollar sign ($), and then click Add.


Note If this entry already appears in the Values list, do not add it.

  1. Click HOST/serverName$.EXAMPLE, and then click Remove. This value appears in the Value to add box.
  2. Modify the entry in the Value to add box to remove the dollar sign ($), and then click Add.


Note If this entry already appears in the Values list, do not add it.

  1. Click OK two times, and then exit the ADSI Edit tool.


STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

For more information about how to use the Setspn command, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx?mfr=true


Keywords: kbtshoot kbbug kbprb kbpending KB924177



Send feedback to Microsoft

© Microsoft Corporation. All rights reserved.


Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Microsoft_KB_Archive/924177&oldid=336478
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki