RAPID PUBLISHING ARTICLES PROVIDE INFORMATION DIRECTLY FROM WITHIN THE MICROSOFT SUPPORT ORGANIZATION. THE INFORMATION CONTAINED HEREIN IS CREATED IN RESPONSE TO EMERGING OR UNIQUE TOPICS, OR IS INTENDED SUPPLEMENT OTHER KNOWLEDGE BASE INFORMATION.
When you add a managed host in System Center Virtual Machine Manager 2008 or System Center 2012 Virtual Machine Manager, it may fail with the following error messages:
From the VMM console:
Error (2927) A Hardware Management error has occurred trying to contact server %server. (Unknown error 0x8033809d))
Recommended Actions Check that WinRM is installed and running on server %server. For more information use the command "winrm helpmsg hrresult".
The following event may also be logged in the System event log :
Log Name: System Source: Microsoft-Windows-Security-Kerberos Date: 23/04/2009 2:08:30 PM Event ID: 4 Task Category: None Level: Error Keywords: Classic User: N/A Computer: %server%. Description: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server %server%. The target name used was HTTP/%server%.. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN.COM) is different from the client domain (DOMAIN.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
This problem occurs because two or more computer accounts have the same service principal name (SPN) registered. Event ID 11 is logged when the Key Distribution Center (KDC) receives a ticket request, and the related SPN exists more than one time when it is checked on the global catalog (GC) for forest wide verification.
To resolve this problem, locate the computer or user accounts that have the duplicate SPNs. When you have located the computers that have the duplicate SPNs, you can delete the computer account from the domain, disjoin and rejoin the computer to the domain, or you can use ADSIEdit to correct the SPN on the computer that has the incorrect SPN.
To locate the computer accounts that have the duplicate SPNs, use the following steps :
On Windows Server 2008 and above, use setspn -x to automatically detect duplicate SPNs.
On down-level OSes, use:
1. Use the querySpn.vbs script in the following Microsoft TechNet article. To use the script, copy the code, paste it into Notepad, and then save the script as querySpn.vbs.
5. Open the check_SPN.txt file in Notepad, and then search for the SPN that is reported in the event log.
6. Note the user accounts and the computer accounts under which the SPN is located.
7. Use ADSIedit.msc to remove the duplicate SPN and register on correct object.
MICROSOFT AND/OR ITS SUPPLIERS MAKE NO REPRESENTATIONS OR WARRANTIES ABOUT THE SUITABILITY, RELIABILITY OR ACCURACY OF THE INFORMATION CONTAINED IN THE DOCUMENTS AND RELATED GRAPHICS PUBLISHED ON THIS WEBSITE (THE “MATERIALS”) FOR ANY PURPOSE. THE MATERIALS MAY INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS AND MAY BE REVISED AT ANY TIME WITHOUT NOTICE.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT AND/OR ITS SUPPLIERS DISCLAIM AND EXCLUDE ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING BUT NOT LIMITED TO REPRESENTATIONS, WARRANTIES, OR CONDITIONS OF TITLE, NON INFRINGEMENT, SATISFACTORY CONDITION OR QUALITY, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE MATERIALS.