adding another SPN to a domain controller does not stay added

  • Thread starter Thread starter Brandon McCombs
  • Start date Start date
B

Brandon McCombs

When I add a new SPN to a domain controller of the form
'ldap/oldhostname' due to a Java application requiring that old SPN to
use Kerberos authentication, ADS will eventually remove that SPN which
causes me to have to add it again before the Java application works.
I'm not sure why the Java app is trying to use that SPN because on
other user PCs it works fine. Only on my PC is it trying to use that
SPN. The old hostname in the SPN is the name of the old domain
controller we had in our domain over a year ago. I'm using the setspn
command to add the SPN.

thanks
 
In
Brandon McCombs said:
When I add a new SPN to a domain controller of the form
'ldap/oldhostname' due to a Java application requiring that old SPN to
use Kerberos authentication, ADS will eventually remove that SPN which
causes me to have to add it again before the Java application works.
I'm not sure why the Java app is trying to use that SPN because on
other user PCs it works fine. Only on my PC is it trying to use that
SPN. The old hostname in the SPN is the name of the old domain
controller we had in our domain over a year ago. I'm using the setspn
command to add the SPN.

thanks
Click to expand...

Apparently the Java app was setup when the old host name was still in
existance. The only thing I can suggest is to look in the Java app ini or
whatever configuration files it is using to see where it is referencing it
and change it.

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

Having difficulty reading or finding responses to your post?
Instead of the website you're using, try using OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. Anonymous access. It's free - no username or password
required nor do you need a Newsgroup Usenet account with your ISP. It
connects directly to the Microsoft Public Newsgroups. OEx allows you
o easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject. It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

"Quitting smoking is easy. I've done it a thousand times." - Mark Twain
 
Yep that is expected behavior. The DC knows that that isn't its name and
it shouldn't have that SPN so it removes it when it checks its
registrations. You can't override it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Ace said:
In

Apparently the Java app was setup when the old host name was still in
existance. The only thing I can suggest is to look in the Java app ini or
whatever configuration files it is using to see where it is referencing it
and change it.
Click to expand...

True, the Java app started being used when the old hostname was still in
existence. The problem is that the same Java app works on other
workstations without the change. The SPN change is only required for my
workstation so I highly doubt the problem is inside the Java app. That
is partially why I came on here, but also to find out why the SPN
doesn't stay.
 
In
Brandon McCombs said:
True, the Java app started being used when the old hostname was still
in existence. The problem is that the same Java app works on other
workstations without the change. The SPN change is only required for
my workstation so I highly doubt the problem is inside the Java app.
That is partially why I came on here, but also to find out why the SPN
doesn't stay.
Click to expand...

I am going with Joe as to why it changes. Default behavior.

Curious, is this one workstation pointing to an ISP's DNS address? Does your
IP range use private or public IPs? Do you have a reverse zone created?

Ace
 
Ace said:
In

I am going with Joe as to why it changes. Default behavior.

Curious, is this one workstation pointing to an ISP's DNS address? Does your
IP range use private or public IPs? Do you have a reverse zone created?

Ace
Click to expand...

It is a workstation on a private network using internal DNS.....same as
all other workstations that use the app. We use public IPs. I don't know
if a reverse zone exists or not. I believe there is a reverse zone but
not positive.

thanks
 
Reverse zone really shouldn't come into play here unless the app is for
some reason trying to use it to generate an SPN which would be bad, you
don't trust DNS to map IPs to FQDNs, that is why MSFT doesn't do it and
kerberos fails if you specify an IP address instead of a name.

I would get a network trace to see if you see anything that gives you a
clue why it is doing what it is doing. But definitely I wouldn't even
consider trying to update an SPN for a single client even if it allowed you.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Joe said:
Reverse zone really shouldn't come into play here unless the app is for
some reason trying to use it to generate an SPN which would be bad, you
don't trust DNS to map IPs to FQDNs, that is why MSFT doesn't do it and
kerberos fails if you specify an IP address instead of a name.

I would get a network trace to see if you see anything that gives you a
clue why it is doing what it is doing. But definitely I wouldn't even
consider trying to update an SPN for a single client even if it allowed
you.
Click to expand...

I turned kerberos debugging on when I first had problems and all I could
gather from that was it was sending (or maybe receiving, couldn't quite
tell) a different amount of data than another client would experience.
When a client worked the kerberos debug output wouldn't mention the SPN
used but they worked so the SPN had to have been ldap/newhostname. I
believe I also used my username to log onto another machine that didn't
have trouble and I was able to login and that's how I was able to narrow
down it was something within the machine settings and not even something
within my profile or my user hive in the registry. A network trace may
be harder to do since this is a gov't network and I'd have to go through
the political process of having a network sniffer approved.
 
Back
Top