Unable to add a managed host in SCVMM 2008 and SCVMM 2012, Error 2927 (0x8033809d)

Applies to: Microsoft System Center Virtual Machine Manager 2007Microsoft System Center Virtual Machine Manager 2008System Center 2012 Virtual Machine Manager

Source: Microsoft Support

RAPID PUBLISHING


RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.

Symptom


When you add a managed host in System Center Virtual Machine Manager 2008 or System Center 2012 Virtual Machine Manager, it may fail with the following error messages:

From the VMM console:

Error (2927)

A Hardware Management error has occurred trying to contact server %server.

(Unknown error 0x8033809d))


Recommended Actions

Check that WinRM is installed and running on server %server.  For more information use the command "winrm helpmsg hrresult".


The following event may also be logged in the System event log :


Log Name: System 
Source:            Microsoft-Windows-Security-Kerberos

Date:                23/04/2009 2:08:30 PM

Event ID:         4

Task Category:           None

Level:               Error

Keywords:        Classic

User:                N/A
Computer:      %server%.

Description:  The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server %server%. The target name used was HTTP/%server%.. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Cause


This problem occurs because two or more computer accounts have the same service principal name (SPN) registered. Event ID 11 is logged when the Key Distribution Center (KDC) receives a ticket request, and the related SPN exists more than one time when it is checked on the global catalog (GC) for forest wide verification.

Resolution


To resolve this problem, locate the computer or user accounts that have the duplicate SPNs.  When you have located the computers that have the duplicate SPNs, you can delete the computer account from the domain, disjoin and rejoin the computer to the domain, or you can use ADSIEdit to correct the SPN on the computer that has the incorrect SPN.


To locate the computer accounts that have the duplicate SPNs, use the following steps :


Method 1

On Windows Server 2008 and above, use setspn -x to automatically detect duplicate SPNs.

On down-level OSes, use:

Method 2

1.  Use the querySpn.vbs script in the following Microsoft TechNet article. To use the script, copy the code, paste it into Notepad, and then save the script as querySpn.vbs.


2.  http://www.microsoft.com/technet/scriptcenter/solutions/spnquery.mspx

3.  Run the script by using the following command:


4.  cscript spnquery.vbs HOST/mycomputer* > c:\check_SPN.txt


5.  Open the check_SPN.txt file in Notepad, and then search for the SPN that is reported in the event log.


6.  Note the user accounts and the computer accounts under which the SPN is located.


7.  Use ADSIedit.msc to remove the duplicate SPN and register on correct object.


DISCLAIMER


MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.


TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.