Share via


Event ID 24 — Service Principal Name Configuration

Applies To: Windows Server 2008

Service principal names (SPNs) are stored as a property of the associated account object in Active Directory Domain Services (AD DS). An SPN is used by Kerberos to uniquely identify an account that is requesting access to a resource.

Event Details

Product: Windows Operating System
ID: 24
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Version: 6.0
Symbolic Name: KDCEVENT_POLICY_USER2USER_REQUIRED
Message: A service ticket request by client %1 for %2 was rejected because User2User was required. The KDC responds with this error when a client requests a service ticket for a user principal (a security risk). The client must support User2User in order to obtain a service ticket for the requested service principal

Resolve

Reset the service principal name

Each service principal name (SPN) must be unique. If the computer name is changed, the SPN is not automatically updated. You must reset the SPN so that it matches the computer name.

To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

To reset the SPN:

  1. Log on to the computer referenced in the event log message. If this computer is not running Windows Server 2008, you must download and install the Windows Server 2003 Resource Kit, which includes setspn.exe.
  2. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Type setspn -R<server_name>, where server_name is the name of the server for which you need to reset the SPN.

Verify

To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

To verify that the service principal name (SPN) was configured correctly:

  1. Log on to a domain controller.
  2. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Type setspn -L <computer_name>, where computer_name is the name of the computer referenced in the event log message.
  5. The output of this command will show the SPN configured for this computer.
  6. If there are no duplicate entries, the SPNs are configured correctly.

Service Principal Name Configuration

Core Security