Home
  •  

VMRC: Service principal name (SPN) could not be registered

Microsoft.Virtualization.VirtualServer.2005R2.VMRC_Service_principal_name_SPN_could_not_be_regiestered.rule (Rule)

Knowledge Base article:

Summary

The service principle name (SPN) for Virtual Server could not be registered, so Kerberos authentication cannot be used for users accessing virtual machines by using the Virtual Machine Remote Control (VMRC) client. This may be because the computer running Virtual Server cannot access the domain controller or because Virtual Server was installed on a domain controller. If VMRC is configured to allow it, users will be authenticated by using NTLM authentication rather than Kerberos. If NTLM is not allowed, then users will not be able to access virtual machines by using the VMRC client.

Causes

The service principle name (SPN) for Virtual Server could not be registered because the computer running Virtual Server cannot access the domain controller or because Virtual Server was installed on a domain controller.

Resolutions

If you want to use Kerberos authentication for VMRC, then you need to do the following:

1. Ensure that the computer running Virtual Server is connected to the domain and that the domain controller is functioning.

2. If Virtual Server is installed on a domain controller, you will need to manually configure the SPN for Virtual Server, as follows:

a. From a command line on the domain controller, type "adsiedit.msc".

b. Expand Domain [domain_name], expand DC=[domain_controller], and then expand OU=Domain Controllers.

c. Right-click the domain controller on which Virtual Server is installed, and click Properties.

d. In Attributes, click servicePrincipleName, and then click Edit.

e. In Value to add, type "vssrvc/domain_controller" and click Add.

f. In Value to add, type "vssrvc/FQDN," click Add, and then click OK twice.

Notes

For more information about configuring VMRC authentication, see the topic on configuring Virtual Machine Remote Control in the <EM>Virtual Server 2005 Administrator’s Guide.

External

Virtual Server 2005 Administrator's Guide, available at http://go.microsoft.com/fwlink/?LinkID=27540

Additional

Sample Events

The service principal name for the VMRC server could not be registered. Automatic authentication will always use NTLM authentication.

Element properties:

TargetMicrosoft.Virtualization.VirtualServer.2005R2.VMHost
CategoryAvailabilityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
VMRC: Service principal name(SPN) could not be registered
{0}
Event LogVirtual Server

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.Virtualization.VirtualServer.2005R2.VMRC_Service_principal_name_SPN_could_not_be_regiestered.rule" Enabled="true" Target="Microsoft.Virtualization.VirtualServer.2005R2.VMHost">

  <Category>AvailabilityHealth</Category>

  <DataSources>

    <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Virtual Server</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>Virtual Server</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventCategory</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>5</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <RegExExpression>

              <ValueExpression>

                <XPathQuery>EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>MatchesMOM2005RegularExpression</Operator>

              <Pattern>^(1031|1032)$</Pattern>

            </RegExExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.Virtualization.VirtualServer.2005R2.VMRC_Service_principal_name_SPN_could_not_be_regiestered_Rule.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>