If you are dealing with SCOM, you know that there is a lot to install and configure before it runs smoothly. One step during the installation process, is to configure the SPN (Service Principal Names) in Active Directory. In fact you need to set SPNs per SCOM management server and if you are hosting the web console on a dedicated server you also need to set an SPN (and Kerberos constraint delegation) correctly, so authentication will work properly. But how should the SPNs look like? Well, Kevin Holman (Microsoft) published while ago an awesome post how they should look like. It will answer probably most of your questions. If not, just drop me a comment 🙂 .
There are different ways to mess with SPNs settings. First born tool is SetSPN.exe, which has been around for a while and can be considered “classic”. A more modern way of doing SPN registration is to use PowerShell of course. In terms of SCOM, if you are using a domain account for System Center Data Access Service then you could use PowerShell cmdlet Set-ADUser to to register SPNs. It would look like this…
Get-ADUser -Filter 'Name –eq "[DAS Account]"' | Set-ADUser -ServicePrincipalNames @{Add="MSOMSdkSvc/[MgmtServerFQDN]"}
Get-ADUser -Filter 'Name –eq "[DAS Account]"' | Set-ADUser -ServicePrincipalNames @{Add="MSOMSdkSvc/[MgmtServerNetBIOS]"}
But if you more into GUI’s or you need to troubleshoot quickly, it might be faster to use the Active Directory Users and Computers console. You need to turn on Advanced Features…
…check the Attribute Editor on your System Center Data Access account and select the servicePrincipalName property…
There you have a quick and nice overview, what has been configured on you service account. In addition you are able to add and remove obsolete SPN’s. Hope this helps :).
