none
The WinRM service failed to create the following SPNs RRS feed

  • Question

  • I have numerous servers showing this Warning in the event log(s).

    The systems are all Microsoft Windows Server 2003 R2 Enterprise Edition Sp2.

    All are Virtual running on VMWARE 5.0

    We are a child domain and the parent domain manages DNS and DHCP

    *******************************************************************************

    Event Type: Warning
    Event Source: WinRM
    Event Category: None
    Event ID: 10154
    Date:  9/6/2012
    Time:  3:32:46 AM
    User:  N/A
    Computer: SERVER
    Description:
    The WinRM service failed to create the following SPNs: WSMAN/SERVER.my.little.company.com; WSMAN/SERVER.

     Additional Data
     The error received was 8235: A referral was returned from the server. .

     User Action
     The SPNs can be created by an administrator using setspn.exe utility.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    ***********************************************************************************

    Of course the Help and Support Center link is useless.  I have searched all over the internet and what I have found tells me to do the following

    Open ADSIedit and find the computer in question, right click and choose properties, click security tab, highlight "NETWORK SERVICE" & in the lower pane find "Validated write to service principal name" and check the Allow box.  Restart the WinRM service.

    Run the following command(s):

    .\Setspn.exe -A WSMAN/SERVER

    .\Setspn.exe -A WSMAN/SERVER.my.little.company.com

    These commands look to have created the SPNs

    !!!** BUT Here is the problem ... the warnings will not stop.  Running the command:\> .\Setspn.exe -L SERVER

    shows me the spns for the WSMAN/* and HOST/*

    I don't think I'm in a disjoint namespace, the dns suffix and the domain name are the same.  (my.little.company.com)

    How can I fix this so that the Warnings stop? 

    • Edited by Wasisname Thursday, September 6, 2012 2:49 PM
    Thursday, September 6, 2012 2:45 PM

All replies

  • "Network Service"  does not have the "Validated write to service principal name" in AD.
    But be careful of allowing this permission in AD (security)
    http://technet.microsoft.com/en-us/library/cc728117(v=ws.10).aspx
    Thursday, April 11, 2013 2:35 PM
  • When I look in ADSI Edit and drill down to the specified server looking at Properties --> (Security Tab) --> [Advanced Button] --> (Permissions Tab) --> Network Service --> Click EDIT.  I get the permissions window and on the (Object Tab) at the very bottom it says "Validated write to service principal name" and the check box for Allow is already checked.   But these warnings persist.

    I've used the setspn.exe utility to set the SPN for each server with the issue.  NOW when I do a SetSPN -L Servername it shows the SPNs that I have set.

    However, the warnings persist.

    Friday, April 12, 2013 2:07 PM