Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

The Setspn.exe tool incorrectly adds the dollar sign to the host name when you reset a service principal name in Active Directory in Windows Server 2003


View products that this article applies to.

Symptoms

When you run the Setspn.exe -R servername command to reset a service principal name (SPN) for a computer account in the Active Directory directory service, the following results appear at the command prompt:
Registering ServicePrincipalNames for CN=<serverName>,CN=Computers,DC=example,DC=com
        HOST/<serverName>$.EXAMPLE.COM
        HOST/<serverName>$
Updated object
In these results, the Setspn.exe tool incorrectly adds the dollar sign ($) to the host name. The results should appear as follows:
Registering ServicePrincipalNames for CN=<serverName>,CN=Computers,DC=example,DC=com
        HOST/<serverName>.EXAMPLE.COM
        HOST/<serverName>
Updated object
Therefore, the SPN is configured incorrectly.

Note The Setspn.exe tool is included with the Microsoft Windows Server 2003 Support Tools. To install the Windows Support Tools, double-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD.

↑ Back to the top


Cause

This problem occurs because a function that the Setspn.exe tool uses returns the name of the computer together with a dollar sign character (also known as a string). The Setspn.exe tool incorrectly adds this string to the computer name.

↑ Back to the top


Workaround

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

To work around this problem, modify the servicePrincipalName attribute in Active Directory. To do this, follow these steps:
  1. Start the ADSI Edit tool. To do this, click Start, click Run, type adsiedit.msc, and then click OK.

    Note The ADSI Edit tool is included with the Windows Server 2003 Support Tools.
  2. Connect to a domain controller if ADSI Edit is not already connected to a domain controller.
  3. Expand Domain [domainControllerName.example.com], expand DC=example,DC=com, and then expand CN=Computers.

    Note If the computer for which you want to modify the SPN is located in a different container, modify this path as appropriate.
  4. Right-click CN=serverName, and then click Properties.
  5. On the Attribute Editor tab, click to select both the following check boxes:
    • Show mandatory attributes
    • Show optional attributes
  6. In the Attributes list, click servicePrincipalName, and then click Edit.
  7. In the Multi-valued String Editor dialog box, click HOST/serverName$, and then click Remove. This value appears in the Value to add box.
  8. Modify the entry in the Value to add box to remove the dollar sign ($), and then click Add.

    Note If this entry already appears in the Values list, do not add it.
  9. Click HOST/serverName$.EXAMPLE.COM, and then click Remove. This value appears in the Value to add box.
  10. Modify the entry in the Value to add box to remove the dollar sign ($), and then click Add.

    Note If this entry already appears in the Values list, do not add it.
  11. Click OK two times, and then exit the ADSI Edit tool.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


More information

For more information about how to use the Setspn command, visit the following Microsoft Web site:

↑ Back to the top


Keywords: kbtshoot, kbpending, kbbug, kbprb, KB924177

↑ Back to the top

Article Info
Article ID : 924177
Revision : 5
Created on : 5/18/2011
Published on : 5/18/2011
Exists online : False
Views : 501