Wildcards in principal names

Similar Messages

• Limitation on principal name length due to propagation?

  Is there a limitation on the java.security.Principal name length due to the underlying
  implementation of the security context propagation, even though it is a java.lang.String?
  Thanks,
  Guillaume Bedard

  Is there a limitation on the java.security.Principal name length due to the underlying
  implementation of the security context propagation, even though it is a java.lang.String?
  Thanks,
  Guillaume Bedard

• Authentication failed. (Microsoft.AnalysisServices.AdomdClient). The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)

  Hi Experts,
  We had a task to  migrate SQL Server all the components to another server, the migration went well and had no issues at all. but We can login to SSAS service locally wihtout any issues. when we are connecting the analysis services from the other machines(servers)
  it is givng the below error.
  Authentication failed. (Microsoft.AnalysisServices.AdomdClient)
  The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)
  1) it is a stand alone server
  2) it is connecting to default instance but not to a named instance
  3) SPN's were set correctly. Double checked with the tool(MS Kerberos configuration Tool).
  4) The SQL server analysis start account has domain admin privileges.
  5) we can connect to Database services from the other machine remotely.
  6) none of the analysis services are  connecting.
  Thank you in advance.

  Hi Ramu,
  According to your description, you migrated SQL Server to another server, everything works fine except that cannot connect to SSAS remotely with the error, right?
  Authentication failed. (Microsoft.AnalysisServices.AdomdClient)
  The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)
  Based on my research, this issue is caused by that the SPN for account that run the Analysis Services is corrupt. You said that the SPN were set correctly, however the error message indicate that the problem is related to SPN. So in your scenario, you can
  delete the SPN under the service account, and register SPN for Analysis Services instance. Please refer to the link below to see the details.
  http://msdn.microsoft.com/en-IN/library/dn194200.aspx
  Besides, here is a blog which describe the similar issue.
  http://www.wolfsoftwaresystems.com/code/sql/the-target-principal-name-is-incorrect-microsoft-analysisservices-adomdclient/
  Regards,
  Charlie Liao
  TechNet Community Support

• I need a Microsoft document that says "sqlservr.exe" can register setspn (Service Principal Name)

  On all of my SQL Server instances, I can find SQL server error logs that have the same 3 entries below, so while I already know it can, I need a Microsoft document that says "sqlservr.exe" can so I can convince the network guys to grant the service
  account for SQL "Write servicePrincipalName: Allow" in AD.
  63           2014-06-26 20:24:02.980                Server   The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/DFW-MSSQLDW.PathologyPartners.intranet:1433
  ] for the SQL Server service. Windows return code: 0x2098, state: 20. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication
  is required by authentication policies and if the SPN has not been manually registered.
  61           2014-06-26 20:24:02.970                Server   The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/DFW-MSSQLDW.PathologyPartners.intranet:DW
  ] for the SQL Server service. Windows return code: 0x2098, state: 20. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication
  is required by authentication policies and if the SPN has not been manually registered.
  38           2014-06-26 20:24:02.840                Server   SQL Server is attempting to register a Service Principal Name (SPN) for the SQL Server service. Kerberos authentication will not
  be possible until a SPN is registered for the SQL Server service. This is an informational message. No user action is required.
  Duane Lawrence

  Refer the below article
  http://blogs.msdn.com/b/psssql/archive/2010/03/09/what-spn-do-i-use-and-how-does-it-get-there.aspx
  Automatic SPN Registration
  When an instance of the SQL Server Database Engine starts, SQL Server tries to register the SPN for the SQL Server service. When the instance is stopped, SQL Server tries to unregister the SPN. For a TCP/IP connection the SPN is registered in the format MSSQLSvc/<FQDN>:<tcpport>.Both
  named instances and the default instance are registered as MSSQLSvc, relying on the <tcpport> value to differentiate the instances.
  --Prashanth

• Principal Name for Active Directory "Domain Users"

  Hi,
  I successufully integrated Weblogic & Active Directory Kerberos (SSO). I tested a web application and successifully logined it with authentication.
  The system automatically recognized my Active Directory username. It worked.
  For authentication in my weblogic.xml I used
  <security-role-assignment>
  <role-name>admin</role-name>
  <principal-name>kursat</principal-name>
  <principal-name>fenerbahce</principal-name>
  </security-role-assignment>
  Now I'm trying to allow all domain members to authenticate my application. For my application I only need the actice directory usernames for them.
  For this purpose, I removed "kursat","fenerbahce" from my weblogic.xml
  <principal-name>kursat</principal-name>
  <principal-name>fenerbahce</principal-name>
  I added
  <principal-name>Domain Users</principal-name>
  instead of writing all domain users.
  However I couldn't authenticate. I got the "Error 403--Forbidden"
  Is there anyone can help me?

  test by creating a groups under Domain Users and use it as your principal name in your weblogic.xml
  -Faisal
  http://www.weblogic-wonders.com

• InitialLdapContext can not be create with chinese principal name

  We use JNDI to search Domino 7 directory. It works well when the principal name contains only ASCII characters, but failed when chinese charaters are used in the principal name.
  This issue not occurrs when the same application is used to search Active Directory.
  Can you please tell me what's wrong in my application?
  Thanks for your help very much!

  Of course the problem does not arise with Active Directory :-) We're DBCS friendly !
  Not wanting to help the opposition, I couldn't help but perform a search. Perhaps this is related to your problem: http://publib.boulder.ibm.com/infocenter/wasinfo/v4r0/index.jsp?topic=/com.ibm.support.was.doc/html/APARs/PQ61389.html

• Use principal name for email if blank in Active Directory

  Hi all,
  allthough I set "Use principal name for email if blank in Active Directory", Spiceworks asks me for an emailadress when i want to Login to the Portal with an AD user without emailadress.
  This topic first appeared in the Spiceworks Community

  Hi,
  What if we change the user name of user account, will it have impact on roaming profiles.
  Yes, it will affect roaming profiles. Please rename the roaming profile folder as the new user account name, in addition, change the profile path in ADUC.
  Here is an related article below for you:
  How to Rename a Windows 7 User Account and Related Profile Folder
  http://social.technet.microsoft.com/wiki/contents/articles/19834.how-to-rename-a-windows-7-user-account-and-related-profile-folder.aspx
  Best Regards,
  Amy

• principal-name as a group or role

  I can sucessfully restrict access to a servlet using declarative security
  but is there any way to use a <principal-name> in weblogic.xml that is a
  group or a role name?
  Hard coding specific user names is hardly useful in a web application where
  people can programmatically become new users
  Thanks for your help

  yes, you can use groups as principals in weblogic.xml. then permissions are
  managed through the user-group relationship.
  "Leonard Pham" <[email protected]> wrote in message
  news:3b657f8a$[email protected]..
  >
  Let's say I define security constraints in the web.xml file for my webapplication
  using the security-constraint,auth-constraint, and security-role tags.Does this
  mean that in order to add a new user I must modify weblogic.xml andspecify a
  new security-role-assignment? Can I specify a group name as a principal,or is
  there a way to programatically add new users? Any help would be greatlyappreciated.
  Thank you.

• SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated

  We are getting this below alert message, while using SCOM 2012 R2.  Anybody have any idea how to resolve this on the SQL box ?
  Thx...
  SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated.
  Service Account: NT Service\MSSQL$SQLEXPRESS
  Missing SPNs:
  Misplaced SPNs: MSSQLSvc/mysqlbox.com:SQLEXPRESS - sqldbadmin
  Duplicate SPNs:

  To Fix this issue, You can check below links
  http://support.microsoft.com/kb/2443457/EN-US
  http://www.scomgod.com/?p=155
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"Mai Ali | My blog:
  Technical | Twitter:
  Mai Ali

• AD Replication error 5: Access is denied or 2146893022: target principal name is incorrect

  Hello,
  I have DC1(fsmo role holder) and DC2 which were replicating.  I ran windows update on DC1 and rebooted which it had not done in months.  When it came back up  I could run repadmin /showrepl successfully on DC1.  However when running on
  DC2 I get the "2146893022: target principal name is incorrect" message.
  I understand you can run the "netdom resetpwd /s:server /ud:<var style="box-sizing:border-box;margin:0px;padding:0px;color:#333333;font-family:'Segoe
  UI regular', 'Segoe UI', Arial, Tahoma, sans-serif;font-size:13px;font-weight:bold;line-height:16px;">mydomain</var>\administrator
  /pd:*"  command but I am unsure:
  1.  Where would I run this command
  2. Which server goes in th"/s:server"?  Would it be the DC1 or the DC2?

  How would this look with information below and what DC would I run it from?
  netdom resetpwd /s:<var style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;font-weight:bold;line-height:normal;">server</var> /ud:<var
  style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;font-weight:bold;line-height:normal;">domain</var>\<var
  style="color:#333333;font-family:'Segoe UI', Arial, Verdana, Tahoma, sans-serif;font-size:13px;font-weight:bold;line-height:normal;">User </var>/pd:*
   Source DC FF-INFRA1 was requested for a manual security error check.
   Diagnosing...
            Authoritative attribute pwdLastSet on FF-INFRA1 (writeable)
               usnLocalChange = 5860902
               LastOriginatingDsa = FF-INFRA1
               usnOriginatingChange = 5860902
               timeLastOriginatingChange = 2014-12-08 20:44:05
               VersionLastOriginatingChange = 12
            Out-of-date attribute pwdLastSet on SERVER2 (writeable)
               usnLocalChange = 8992092
               LastOriginatingDsa = FF-INFRA1
               usnOriginatingChange = 5163496
               timeLastOriginatingChange = 2014-11-08 15:43:39
               VersionLastOriginatingChange = 11
         Unable to verify the convergence of this machine account
         (CN=FF-INFRA1,OU=Domain Controllers,DC=COPHT,DC=local) on these
         DC's (DC=COPHT,DC=local,☺).  Does the machine account password
         need resetting? Are the SPN's in sync?
         [FF-INFRA1] Unable to diagnose problem for this source.  See any
         errors reported in attempting tests.
      Authoritative attribute pwdLastSet on FF-INFRA1 (writeable)
         usnLocalChange = 5860902
         LastOriginatingDsa = FF-INFRA1
         usnOriginatingChange = 5860902
         timeLastOriginatingChange = 2014-12-08 20:44:05
         VersionLastOriginatingChange = 12
      Out-of-date attribute pwdLastSet on SERVER2 (writeable)
         usnLocalChange = 8992092
         LastOriginatingDsa = FF-INFRA1
         usnOriginatingChange = 5163496
         timeLastOriginatingChange = 2014-11-08 15:43:39
         VersionLastOriginatingChange = 11
   Unable to verify the convergence of this machine account
   (CN=FF-INFRA1,OU=Domain Controllers,DC=COPHT,DC=local) on these DC's
   (DC=COPHT,DC=local,☺).  Does the machine account password need
   resetting?
   ......................... FF-INFRA1 failed test CheckSecurityError

• Service principal names of user are not unique; check the active directory

  Hello Experts,
  My company had set up this service principal account to use with Kerberos and I am trying to configure the authentication template using SPNEGO wizzard.  The format of the service account is not the same as SAP recommened (J2EE-SID-DOMAIN) but something like abc_de_portal.  After trying to use that account with the wizzard I am getting this error "Service principal names of user abc_de_portal are not unique; check the active directory configuration."  I am not sure what else in the AD attributes is causing the problem.  Please let me know if you have ran into similar issue and how did you corrected.  Points will be rewarded of course. 
  Thank you so much for any help that I can get.

  Hello Duy,
    SPN of the service user for kerberos has to be unique as you would have made out from the message . There seems to be
  someother user having the SPN as yours.
  You would have to find the other AD user with the same SPN as yours and then de register that with
  setspn u2013d <SPN> Username
  Then this error should not come up after that .
  There was a tool called Ldifde  which you can use for this. We have our AD team do this for us. Would be better if you ask them to carry this out.
  Rgds

• Principal name character set restriction ?

  In weblogic.xml, principal-name is of type PCDATA in Weblogic 8.x and ealier, but is of type NMTOKEN in Weblogic 9.0 and later.
  So a principal-name value like "id=manager,dc=pg&e,dc=com" works in 8.x but doesn't work in 9.x due to the '=', ',' and '&'.
  (when you deploy your application with the above in weblogic.xml, the Weblogic 9.x will complain the value is not conformant to NMTOKEN type)
  How to deal with this ?
  Should there be some kind of backward compatibility here ?
  If not, what is the best way to convert the value to NMTOKEN type that'll be accepted by 9.x.
  Thanks for any hints.

  I am facing a very similar problem too. I had the principal name as DEFAULT ADMIN in WLS 8.x and it worked and it complains about not conforming to the NMTOKENTYPE in WLS 9.1 . Looks like NMTOKEN does not support white spaces. I have to make DEAFULT ADMIN as a single word to get it working on WLS9.1. Do let me know if there is another alternative for this

• Service principal names of user j2ee- SID are not unique

  Hi everyone,
  I am trying to configure the SPNego, following the guide below Configuring and troubleshooting SPNego -- Part 1
  but I'm getting an error that I have not been solved
  then pictures of the developments so far:
  [step 1|http://imageshack.us/photo/my-images/807/59238690.jpg/]
  [Step 2|http://imageshack.us/photo/my-images/804/55731867.jpg/]
  [Step 3|http://imageshack.us/photo/my-images/27/73007146.jpg/]
  Test following and has not worked
  http://help.sap.com/saphelp_em70/helpdata/en/45/59b55b943909cae10000000a114a6b/content.htm
  thanks
  Manuel

  Hi, Manuel!
  Check these threads for solution:
  Service principal names of user are not unique; check the active directory
  Service Principal Names of Users j2ee-MDS-tcsm3 not in unique-Check ADC
  Regards, Mikhail.

• Target principal name is incorrect - cannot generate SSPI context

  First off, yes, I've looked at numerous articles on this subject and haven't yet found someone with a similar situation and none of the resolutions I've found seem applicable.
  My situation:  Server 2008R2 Enterprise with SQL 2012 Standard.  I have two instances running on this server, DEV and TEST.  I do not have a default (unnamed) instance.  This is one of the differences between my situation and every other
  article I've looked at.  I AM able to connect remotely to the DEV instance, but the TEST instance give me the SSPI error.  To take it a step further, the SQL services aren't running under domain credentials; they're running under local credentials. 
  These two issues don't match anything I've found on the subject so far.
  I ran "setspn -L" against the server's machine account (since the SQL services are local, not domain) and here's what I got:
  MSSQLSvc/[server FQDN]:49592
  MSSQLSvc/[server FQDN]:TEST
  MSSQLSvc/[server FQDN]:49487
  MSSQLSvc/[server FQDN]:DEV
  WSMAN/[server]
  WSMAN/[server FQDN]
  TERMSERV/[server FQDN]
  TERMSERV/[server]
  RestrictedKrbHost/[server]
  HOST/[server]
  RestrictedKrbHost/[server FQDN]
  HOST/[server FQDN]
  The server is of course a domain member, and we only have a single domain, so there's no cross-domain/forest stuff going on.
  Remotely, SA authentication works against both instances.  Locally, both SA and Windows authentication work against both instances.  Remotely, Windows authentication works against the DEV instance, but not against the TEST instance, returning the
  error "The target principal name is incorrect.  Cannot generate SSPI context."
  Both database have identical settings in the SQL Config Mgr (Shared Memory and TCP/IP enabled).  Both instances are set to allow remote logon.
  The security for the various services:
  SQL Server (DEV) = NT Service\MSSQL$DEV
  SQL Server (TEST) = NT Service\MSSQL$TEST
  SQL Server Agent (DEV) = NT Service\SQLAgent$DEV
  SQL Server Agent (TEST) = NT Service\SQLAgent$TEST
  SQL Server Browser = Local Service
  On both instances, the query "exec xp_readerrorlog 0,1,'could not register the Service Principal Name',Null" comes back with two entries from when the system was installed, saying it was unable to register the SPN.  That makes sense, because
  SQL isn't running with domain credentials, although the SPNs ARE apparently in AD (see above).
  On both instances, the query "select net_transport, auth_scheme from sys.dm_exec_connections where session_id=@@spid" returns the same thing - "shared memory", "NTLM".  Basically, I can find no configuration difference
  between the two instances.
  Anyone got any ideas?

  Hi Todd,
  According to your description, we need to make sure the typed server name is right, and verify if your windows account is valid when you connect to the test instance remotely by using Windows authentication. You can refer to the following steps for checking
  the login name.
  1.Log in the test instance remotely by using sa authentication.
  2. Enter the security and check if the windows account is valid.
  In addition, there is more details about how to troubleshoot the "Cannot generate SSPI context" error message, you can review the article.
  http://support.microsoft.com/kb/811889
  Thanks,
  Sofiya Li
  If you have any feedback on our support, please click here.
  Sofiya Li
  TechNet Community Support

• Demote Server and Remove AD DS Role fails with "the target principal name is incorrect"

  Hi all, 
  I am attempting to demote a domain controller so i can remove the AD DS role and have the server just its own workstation.
  This domain controller has never replicated the domain and DS services were/are not working.  We didnt discover this until the other domain controller died and has since been rebuilt with a brand new domain.  The old domain no longer exists whatsoever.
  So as said, I'm trying to demote this server, there is no domain to tidy up afterwards.  However even with force removal option I'm getting the DFS Replication error: "the target principal name is incorrect".  I do not exactly require
  it do this myself, there is nothing to replicate anymore, i just need the DC demoted or role completely removed.  There are no other DC's to transfer FSMO's or anything like that as its to be completely stand-alone.
  Does anyone have any ideas how this role can be forcibly removed other than using the " force removal option " in ADDS config wizard?  
  Any help will be gratefully appreciated.
  Thanks in advance
  Phill

  Hi Phill,
  You can try to use Ntdsutil.exe to perform metadata cleanup.
  If this doesn’t work, then I agree with Ed that you would need to reinstall the machine.
  More information for you:
  Clean Up Server Metadata
  http://technet.microsoft.com/en-us/library/cc816907(v=WS.10).aspx#bkmk_commandline
  Best Regards,
  Amy