Error 80070721 Occurs When Instantiating a COM Component on a Remote Windows 2008 Server
Problem Description
An application calls CreateObject to activate a COM+ component or a DCOM server component which runs on a remote machine. The call to the CreateObject may fail with the error 80070721 which translates to "A security package specific error occurred." Both machines are Windows server 2008 or Vista.
Cause
This happens because when the client requests a Kerberos ticket for the COM+ application or the DCOM service it uses a user name as the SPN (Service Principal Name). The KDC (Key Distribution Center) finds the account but it does not have any SPN.
If you get a network trace with Microsoft Network Monitor you will see the Kerberos error in the trace similar to this:
172.17.10.21 172.17.10.17 KerberosV5 KerberosV5:TGS Request Realm: <domain> Sname: DCOMServiceAccount
172.17.10.17 172.17.10.21 KerberosV5 KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
DCOMServiceAccount is the identity of the COM+ application or the DCOM server application.
Resolution
Registering the following SPN's should workaround the issue:
setspn -A DCOMService/DCOMServer Domain\DCOMServiceAccount
setspn -A DCOMService/DCOMServerFQDN Domain\DCOMServiceAccount
DCOMService:
The name of the COM+ application or the DCOM server application.DCOMServer:
The NetBIOS name of the server machine where the COM+ application or the DCOM component resides.DCOMServerFQDN:
The Fully Qualified Domain Name of the server machine where the COM+ application or the DCOM component resides.DCOMServiceAccount:
The identity of the COM+ application or the DCOM server application..
To run setspn.exe to register a SPN for a domain account, you need to be a domain admin. Setspn.exe can be run on any machine in the domain.
Comments
Anonymous
October 21, 2013
Thanks, you are a star! That fixed my Windows 7 COM+ proxy to Windows 2008 R2 COM+ server problem.Anonymous
January 13, 2014
Thank you.. Thank YouAnonymous
March 31, 2016
uahuuuuu thank my hair was getting whiter