Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

MBAM Setup fails with “Register SPN Deferred” error message


View products that this article applies to.

Symptoms

The Microsoft BitLocker Administration and Monitoring (MBAM) installation operation may fail. Additionally, you may receive the following error message in the MBAM setup log:

MBAMServerCAs!Microsoft.Windows.Mdop.BitlockerManagement.SetupCAs.SPNRegistrar.RegisterSPNDeferred
Attempting to register the following SPN with domain controller: 'nameofdomaincontroller:80'.
Attempting to register the following SPN with domain controller: 'FQDN of Domaincontroller:80'.
ERROR: Could not register SPN with domain server. ERROR: DsWriteAccountSpn failed with error: 8203. Make sure you have sufficient rights to modify SPN on your domain controller.
CustomAction RegisterSPNDeferred returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

↑ Back to the top


Cause

This problem occurs if the account that is used to install MBAM do not have Write SPN and Validate SPN rights.

↑ Back to the top


Resolution

To resolve this problem, verify that the Domain Controller is available and verify that the account has Write ServicePrincipalName and Write validated SPN permissions to the directory.

Note: You have these rights if you are using a domain administrator account.

To grant the appropriate permissions and the appropriate user rights to the account, follow these steps:
  1. Connect to the Domain Controller.
  2. Click Start, click Run, typeAdsiedit.msc, and then click OK.
  3. In the ADSI Edit window, expand Domain [DomainName], expand DC= RootDomainName, and browse to the computer object of any servers hosting MBAM web components that need the SPN.
  4. Right click the computer object and click Properties.
  5. Click on the Securitytab.
  6. Scroll down and select SELF.
  7. Check if Validated write to service principal namehas allow checkbox checked.
  8. If not then check the Allowcheckbox.
  9. If adding a custom host header on the SPN, check the Allowcheckbox next to Write public information.
  10. Click OK twice, and then close the ADSI Edit window.

↑ Back to the top


More Information

For more information on Setspn command-line tool, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc731241(WS.10).aspx


↑ Back to the top


Keywords: kbtshoot, kb

↑ Back to the top

Article Info
Article ID : 2754138
Revision : 1
Created on : 1/7/2017
Published on : 2/27/2015
Exists online : False
Views : 598