SCOM: Data Access SPN Not Registered

Standard

I was rebuilding my System Center Operations Manager 2012 R2 Lab environment and when finished installing my System Center Operations Manager Environment it was giving me the critical alert. “Data Access Service SPN Not Registered

Alert Data Access Service SPN Not Registered

The reason I get this error is that I deployed my System Center Operations Manager Environment using a standard Domain User account for the System Center Data Access Service. By default a Domain User doesn’t have the right to update its own Service Principle Name (SPN).

When looking into the blog post off Kevin Holman you can read that it’s a Bug in the System Center Operations Manager 2012 r2 software. You can find the blog post here 

Before I go into explaining the solution Let me explain what Service Principle Name (SPN) is.

Kerberos defines two different types of accounts (Principals). The two different names given to these types of accounts are User Principle Name (UPN) and Service Principle Name (SPN).

User Principal Name are defined on user accounts. When looking at the properties of a user account on the account tab, the UPN is combined between two fields listed under the User Logon Name.
User Principel Name A User Principal Name (UPN) must be unique across the entire Active Directory Forest otherwise the Key Distribution Center (KDC) goes looking up a user account using the UPN, it will get back more than one account and causes authentication failures for all user accounts that have the same UPN. The UPN of an Active Directory Object is an attribute of the object and can only hold a single value.  The attribute name is userPrinicipalName and can be found when opening the properties off a user account and going to the Attribute Editor tab

User Principel Name

Service Principal Names must also be unique across the entire Active Directory Forest and can be assigned to User Accounts and Computer Accounts. Computer Accounts automatically have the Service Principal Names Defined. Service Principal Names define what services run under the accounts security context. The SPN of a Active Directory Object is an attribute of the object and can hold multiple values. The attribute name is servicePrincipalName and can be found when opening the properties off a computer account and going to the Attribute Editor Tab

Service Principal NameIf you want more information on User Principal Names and Service Principal Names please take a look at Rob Greene blog which can be found here

Now that we know a little bit more about Service Principal Names time to solve the above mentioned error.

  • Start “Active Directory Users And Computers
  • Browse to the location where the computer Object is located
  • Right Click on the “Computer Object” and click “Properties

    Active Directory Users And Computers

  • On the “Properties” page, select the “Attribute Editor
  • Double click the attribute “servicePrinicipalName
  • In the “Multi-valued String Editor” screen enter “MSOMSdkSvc/DevMS02” and click “Add

    Active Directory Users And Computers 

  • In the “Multi-Valued String Editor” screen enter “MSOMSdkSvc/DevMS02.dev.ms-opsmgr.eu” and click “Add” and “OK
  • On the Properties Page Click “Apply” and “OK

When the above mentioned entries are entered the Alert is being resolved.