Home
  •  

Data Access Service SPN Registration

Microsoft.SystemCenter.DataAccessService.SdkSpnRegistration (Rule)

Rule to alert if a service principal name (SPN) for the account running the System Center Data Access service isn't registered.

Knowledge Base article:

Summary

The service principal name (SPN) for the "System Center Data Access" service may have failed to register. The "System Center Data Access" service must register SPNs for the Operations console and other SDK clients to authenticate using Kerberos.

Causes

In most cases this is due to the "System Center Data Access" service not having the necessary permissions to perform the SPN registration within Active Directory.

Resolutions

Check the existing SPN registrations by running the following command:

If the SPNs are registered correctly, you should see the following results:

If the SPNs are not correctly registered, register them manually by running the following commands, using an account with domain administrator rights:

Element properties:

TargetMicrosoft.SystemCenter.ManagementDataAccessService
CategoryAlert
EnabledTrue
Event_ID26371
Event SourceOpsMgr SDK Service
Alert GenerateTrue
Alert SeverityError
Alert PriorityHigh
RemotableTrue
Alert Message
Data Access Service SPN Not Registered
{0}
Event LogOperations Manager

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.SystemCenter.DataAccessService.SdkSpnRegistration" Enabled="true" Target="Microsoft.SystemCenter.ManagementDataAccessService" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>Alert</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Operations Manager</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="UnsignedInteger">26371</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery Type="String">PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value Type="String">OpsMgr SDK Service</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>2</Priority>

      <Severity>2</Severity>

      <AlertName/>

      <AlertDescription/>

      <AlertOwner/>

      <AlertMessageId>$MPElement[Name="Microsoft.SystemCenter.DataAccessService.SdkSpnRegistration.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue>$Data/EventDisplayNumber$</SuppressionValue>

        <SuppressionValue>$Data/PublisherName$</SuppressionValue>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>