MBAM Setup fails with “Register SPN Deferred” error message

Symptoms

The Microsoft BitLocker Administration and Monitoring (MBAM) installation operation may fail. Additionally, you may receive the following error message in the MBAM setup log:

MBAMServerCAs!Microsoft.Windows.Mdop.BitlockerManagement.SetupCAs.SPNRegistrar.RegisterSPNDeferred
Attempting to register the following SPN with domain controller: 'nameofdomaincontroller:80'.
Attempting to register the following SPN with domain controller: 'FQDN of Domaincontroller:80'.
ERROR: Could not register SPN with domain server. ERROR: DsWriteAccountSpn failed with error: 8203. Make sure you have sufficient rights to modify SPN on your domain controller.
CustomAction RegisterSPNDeferred returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)

Cause

This problem occurs if the account that is used to install MBAM do not have Write SPN and Validate SPN rights.

Resolution

To resolve this problem, verify that the Domain Controller is available and verify that the account has Write ServicePrincipalName and Write validated SPN permissions to the directory.

Note: You have these rights if you are using a domain administrator account.

To grant the appropriate permissions and the appropriate user rights to the account, follow these steps:
  1. Connect to the Domain Controller.
  2. Click Start, click Run, typeAdsiedit.msc, and then click OK.
  3. In the ADSI Edit window, expand Domain [DomainName], expand DC= RootDomainName, and browse to the computer object of any servers hosting MBAM web components that need the SPN.
  4. Right click the computer object and click Properties.
  5. Click on the Securitytab.
  6. Scroll down and select SELF.
  7. Check if Validated write to service principal namehas allow checkbox checked.
  8. If not then check the Allowcheckbox.
  9. If adding a custom host header on the SPN, check the Allowcheckbox next to Write public information.
  10. Click OK twice, and then close the ADSI Edit window.

More Information

For more information on Setspn command-line tool, visit the following Microsoft Web site:

http://technet.microsoft.com/en-us/library/cc731241(WS.10).aspx


Propiedades

Id. de artículo: 2754138 - Última revisión: 27 feb. 2015 - Revisión: 1

Comentarios