Event ID 24 — Service Principal Name Configuration
Applies To: Windows Server 2008
.jpg)
Service principal names (SPNs) are stored as a property of the associated account object in Active Directory Domain Services (AD DS). An SPN is used by Kerberos to uniquely identify an account that is requesting access to a resource.
Event Details
| Product: | Windows Operating System |
| ID: | 24 |
| Source: | Microsoft-Windows-Kerberos-Key-Distribution-Center |
| Version: | 6.0 |
| Symbolic Name: | KDCEVENT_POLICY_USER2USER_REQUIRED |
| Message: | A service ticket request by client %1 for %2 was rejected because User2User was required. The KDC responds with this error when a client requests a service ticket for a user principal (a security risk). The client must support User2User in order to obtain a service ticket for the requested service principal |
Resolve
Reset the service principal name
Each service principal name (SPN) must be unique. If the computer name is changed, the SPN is not automatically updated. You must reset the SPN so that it matches the computer name.
To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.
To reset the SPN:
- Log on to the computer referenced in the event log message. If this computer is not running Windows Server 2008, you must download and install the Windows Server 2003 Resource Kit, which includes setspn.exe.
- Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Type setspn -R<server_name>, where server_name is the name of the server for which you need to reset the SPN.
Verify
To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.
To verify that the service principal name (SPN) was configured correctly:
- Log on to a domain controller.
- Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Type setspn -L <computer_name>, where computer_name is the name of the computer referenced in the event log message.
- The output of this command will show the SPN configured for this computer.
- If there are no duplicate entries, the SPNs are configured correctly.