Error 8344 Spn
Contents |
(עברית)المملكة العربية السعودية (العربية)ไทย (ไทย)대한민국 (한국어)中华人民共和国 (中文)台灣 (中文)日本 (日本語) HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums Ask a question Quick access Forums home Browse forums users FAQ Search related threads Remove From My Forums Answered by: setspn to add spn results in error failed to assign spn on account error 0x2098/8344 8344 insufficient access rights. Windows Server > Directory Services Question 0 Sign failed to assign spn on account error 0x21c7/8647 in to vote I am trying a add a SPN using the setspn tool. the user is a domain user validated write to service principal name with Validated write to service principal name permissions on the computer objects in the domain. The domain admin assigned the privileges using the steps mentioned in
Delete Spn
( Domain/User Properties --> Security Tab --> Advanced --> Add User --> Apply onto --> User Objects), SPN related Permissions\Properties are not visible. They are only visible if you have selected Computer Objects. The SPN related Permissions are as follows: Validated write to service principal name Read servicePrincipalName Write servicePrincipalName If the error occurs when trying to add SPN's on Computer Account, please enable all the above three permissions and check the issue again. If you would like to add SPN on User Accounts, we need other methods to achieve this. Thanks. NinaPlease remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Proposed as answer by Meinolf WeberMVP Sunday, March 13, 2011 9:53 PM Marked as answer by Nina Liu - MSFTModerator Monday, March 14, 2011 1:44 AM Friday, March 11, 2011 2:57 AM Reply | Quote Moderator All replies 3 Sign in to vote Use "run as an administrator" and check if this solve your
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Server Fault Questions Tags Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top Create SPN with setspn.exe - Insufficient access rights up vote 4 https://social.technet.microsoft.com/Forums/windowsserver/en-US/1262a5f8-20da-4df2-8ced-42529ece89fa/setspn-to-add-spn-results-in-error-8344-insufficient-access-rights?forum=winserverDS down vote favorite On a Windown Server 2008 Domain Controller, I'm attempting to add a Service Principal Name (SPN) to a user account 'Postmaster' in order to enable Kerberos authentication from a Communigate email server. The command line I'm using is of the form: setspn -a imap/email-domain.com windows-domain\postmaster When I run this command, I get the result: Registering ServicePrincipalNames for CN=Postmaster,OU=Users,DC=windows-domain,DC=com imap/email-domain.com Failed to assign SPN on account 'CN=Postmaster,OU=Users,DC=windows-domain,DC=com', error 0x2098/8344 -> Insufficient access rights to http://serverfault.com/questions/87982/create-spn-with-setspn-exe-insufficient-access-rights perform the operation. This is most curious, since I am logged in as a user in the group Domain Admins. I checked effective privileges for this account, and I can't see any that are not included. I also tried a different administrator account, with the same result. Just to rule it out, I also added the user Postmaster to Domain Admins, but no change to the result. I am running this command directly on the Domain Controller instance. I am able to query SPNs with no difficulty, I just can't seem to write them. I also attempted to use ktpass to indirectly set the SPN on the desired user, but received a warning: WARNING: Unable to set SPN mapping data. ...which I assume is a symptom of the same insufficient access problem. What could be causing this error? windows-server-2008 kerberos permissions spn share|improve this question edited Nov 25 '09 at 16:42 asked Nov 24 '09 at 22:39 kbluck 133127 add a comment| 1 Answer 1 active oldest votes up vote 8 down vote accepted Are you running from an elevated command prompt (right-click, Run as Administrator)? If not, that would explain the error. share|improve this answer answered Nov 25 '09 at 0:00 K. Brian Kelley 8,0942231 Thanks. I was running plain old cmd.exe. Running Powershell as Administrator did indeed work. –kbluck Nov 25 '09 at
for Help Receive Real-Time Help Create a Freelance Project Hire for a Full Time Job Ways to Get Help Ask a Question Ask for Help Receive Real-Time Help Create a Freelance Project Hire for a Full Time Job Ways to Get Help Expand https://www.experts-exchange.com/questions/28711524/How-to-delegate-SetSPN-in-Active-Directory.html Search Submit Close Search Login Join Today Products BackProducts Gigs Live Careers Vendor Services Groups http://oracle-sqlserver.over-blog.com/2015/08/sql-server-error-2098-8344.html Website Testing Store Headlines Experts Exchange > Questions > How to delegate SetSPN in Active Directory Want to Advertise Here? Solved How to delegate SetSPN in Active Directory Posted on 2015-09-04 Microsoft IIS Web Server SSRS MS SQL Server Active Directory 1 Verified Solution 4 Comments 740 Views Last Modified: 2015-10-06 Hi there! I work as a domain failed to admin for a software development shop. The product is web and SQL-based, and we use SPN's for authentication. Our Dev and QA teams are constantly spinning up and destroying VM's as part of our development process, and for each new VM I currently run SetSPN -S HTTP/{server name} {user name} to set authentication with a service account. What I'd like to do is delegate the running of SetSPN to an AD security group. failed to assign We're a 24 hour shop and the overseas folks are getting frustrated having to wait for my working hours to start. This would make everyone's lives much easier :) My DC's are a mixture of Server 2008 R2 and Sever 2012 R2, running at a Server 2008 SP2 functional level. I've followed the steps here under the Delegating Authority To Modify SPN's section, but my test user gets this error: Failed to assign SPN on account '{CN of service account and DN of domain}', error 0x2098/8344 -> Insufficient access rights to perform the operation. Things I've also tried include: Running the SetSPN command from an elevated command prompt Allowed these properties for Computer Objects to the security group: Validated write to service principal name, Validated write to MS DS additional host name, read/write msDS Allowed To Delegate To Allowed these properties for User Objects to the security group: Read/Write msDS Principal Name, read/write msDS Allowed To Delegate To Added the security group to "Enable computer and user accounts to be trusted for delegation" to a custom GPO Added the service account itself to the security group I've delegated these rights to Added these same permissions to SELF on the service account user object What the heck am I missing here? 0 Question by:kukhuvud Facebook Twitter LinkedIn Google Act
8344 Published on August 21 2015 by LakshmiSaahul,Dhana Royal SQL Error 2098, 8344 To understand the error you can transcribe the error message 0x2098 in a more readable. - You can use the tools: Error Code lookuphttp://www.microsoft.com/downloads/details.aspx?familyid=be596899-7bb8-4208-b7fc-09e02a13696c&displaylang=en Puis exécuter la commande err.exe 2098 : # for hex 0x2098 / decimal 8344 : ERROR_DS_INSUFF_ACCESS_RIGHTS winerror.h # Insufficient access rights to perform the operation. # 1 matches found for "2098" - Or go directly to the error codes at: http://msdn.microsoft.com/en-us/library/ms681390(VS.85).aspx ERROR_DS_INSUFF_ACCESS_RIGHTS 8344 (0x2098) Insufficient access rights to perform the operation. This error message indicates that the service account SQL server does not have sufficient rights to register the SPN. Cause SPNs are used by the Kerberos authentication protocol. If the account of the proceeding is known, the Kerberos authentication can be used to provide mutual authentication by the client and server. If the account of the proceedings is not known, NTLM authentication, which provides only authentication of the client by the server is used. If you run SQL Server under the LocalSystem account, the SPN is automatically registered as SQL registering with the machine account that has the right to create an SPN default. So Kerberos interacts successfully with the server running SQL Server. However, if you run SQL Server under a domain account or a local account, the attempt to create the SPN may fail. When creating the service principal name fails, this means that no SPN is set for the service that is running SQL Server. Solution Therefore, you must implement a solution to that the SPN is created for your SQL Server instance where you want to use the Kerberos protocol. Method 1 : The method recommended by Microsoft Support. You can give in Active Directory rights below to the service account of SQL Server: - Read servicePrincipalName - Write servicePrincipalName Method 2 : You can also give him the rights manually using the tool SetSPN.(http://msdn.microsoft.com/fr-fr/library/cc280459.aspx ) For SQL server StandaloneSetSPN -A MSSQLSvc/