Start a conversation

Foutmelding bij herstarten PROD service "The service account has insufficient privileges to register service principal names in Active Directory."

Probleem:

Bij het herstarten van een PROD service (bijvoorbeeld bij een update) verschijnt de foutmelding: The service account has insufficient privileges to register service principal names in Active Directory.

Oorzaak:

Het account dat de service draait heeft onvoldoende rechten

Oplossing:

De rechten voor het account aanpassen volgens https://msdn.microsoft.com/en-us/library/hh166150(v=nav.90).aspx (SPN) en dan met name het stukje in “To enable the Microsoft Dynamics NAV Server account to register an SPN on itself”

Enabling the account to register an SPN on itself

To enable secure mutual authentication between clients and Microsoft Dynamics NAV Server, you must configure the Microsoft Dynamics NAV Server account to self-register Service Principal Names (SPNs). Mutual authentication is recommended in a production environment but may not be necessary in a testing or staging environment. The following procedure assumes a computer running Windows Server 2008 or Windows Server 2008 R2. On Windows 7 or Windows Vista you would need to install the Remote Server Administration Tools first.

To enable the Microsoft Dynamics NAV Server account to register an SPN on itself

  1. Start the Active Directory Users and Computers snap-in in Microsoft Management Console (MMC):
    1. Choose Run on the Start menu, type mmc on the command line, and the choose OK.
    2. When the console opens, select Add/Remove Snap-In from the File menu, select Active Directory Users and Computers, and chooseAdd. If you do not see Active Directory Users and Computers in the list of available snap-ins, you may need to use Server Manager to install the Active Directory Domain Services role on your server computer. 
  2. In MMC, select Active Directory Users and Computers in the tree view and choose Advanced Features from the View menu.
  3. Expand the domain node in the tree view and choose Users.
  4. Right-click the service account, select Properties, and then choose to display the Security tab.
  5. Choose SELF in the Group or user names list.
  6. Under Permissions for SELF, in the lower part of the panel, scroll down to Write public information and select the Allow column.
  7. Choose OK to exit the Properties panel, and close Active Directory Users and Computers.

 

 

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Danny Eersteling

  2. Posted
  3. Updated

Comments