locked
OHSBE Installation issue - Mapping Kerberos token to OHSBE services RRS feed

  • Question

  • Hi,

    I am trying to install OHSBE but face the following issue:

     

    Mapping Identity of OHSBE WSE web service and OHSBE Windows service to Kerberos token - CSF\OHSBE30

     

    My domain name is CSFDomain. While installing OHSBE I am not able to map Kerberos token - CSF\OHSBE30 to OHSBE WSE web service and OHSBE Windows service. The command Setspn fails, I tried several combinations without getting success:

     


    C:\Program Files\Support Tools>setspn -A CSFDOMAIN\OHSBE30 CSFDOMAIN\OHSBE-Servi
    ce
    Registering ServicePrincipalNames for CN=OHSBE-Service,OU=CSF_OHSBE,OU=CSF-Admin
    istration-OU,DC=CSFDomain,DC=com
            CSFDOMAIN\OHSBE30
    Failed to assign SPN on account 'CN=OHSBE-Service,OU=CSF_OHSBE,OU=CSF-Administra
    tion-OU,DC=CSFDomain,DC=com', 0x20b5

    C:\Program Files\Support Tools>setspn -A CSFDomain\OHSBE30 CSFDomain\OHSBE-Servi
    ce
    Registering ServicePrincipalNames for CN=OHSBE-Service,OU=CSF_OHSBE,OU=CSF-Admin
    istration-OU,DC=CSFDomain,DC=com
            CSFDomain\OHSBE30
    Failed to assign SPN on account 'CN=OHSBE-Service,OU=CSF_OHSBE,OU=CSF-Administra
    tion-OU,DC=CSFDomain,DC=com', 0x20b5

    C:\Program Files\Support Tools>setspn -A CSF\OHSBE30 CSFDomain\OHSBE-Service
    Registering ServicePrincipalNames for CN=OHSBE-Service,OU=CSF_OHSBE,OU=CSF-Admin
    istration-OU,DC=CSFDomain,DC=com
            CSF\OHSBE30
    Failed to assign SPN on account 'CN=OHSBE-Service,OU=CSF_OHSBE,OU=CSF-Administra
    tion-OU,DC=CSFDomain,DC=com', 0x20b5

     

    Can anyone let me know how to get this issue resolved?

     

    Thanks,

     

    Ashish Malhotra


    Wednesday, September 13, 2006 3:45 AM

Answers

  • Setspn.exe  requires domain administrator privileges. So you login with domain administrator account to run the command successfully. Also SPN should contain forward slash.

    Following is recommeded practice

    setspn -A domainname/servicename domainname\serviceaccount

     

    Thursday, September 21, 2006 4:30 AM

All replies

  • Setspn.exe  requires domain administrator privileges. So you login with domain administrator account to run the command successfully. Also SPN should contain forward slash.

    Following is recommeded practice

    setspn -A domainname/servicename domainname\serviceaccount

     

    Thursday, September 21, 2006 4:30 AM
  • Hi Ashish,

    Thanks for your note - I can see that the setspn.exe command has the wrong form... Instead of this:

       setspn -A CSFDOMAIN\OHSBE30 CSFDOMAIN\OHSBE-Service

    Try this form - note the forward / after "CSFDOMAIN":

       setspn -A CSFDOMAIN/OHSBE30 CSFDOMAIN\OHSBE-Service

    That should now work... The interesting thing about setspn.exe is that the first identifier could be anything - it could be, for example:

       setspn -A Forum/Answer CSFDOMAIN\OHSBE-Service

    Thanks, Ashish!!!

    -Rob.

    Tuesday, September 26, 2006 7:06 AM