When you try to configure constrained delegation on a computer that is running Microsoft Windows Server 2003, the service principal name (SPN) does not appear in the list of services that can be delegated to an account.
This problem occurs because the Add Services
dialog box requires that the service principal name is validated before it is displayed to the administrator. However, the validation process is unsuccessful when a service principal name uses a name string as an instance identifier.Note
A name string may be used to determine a unique application instance or a unique service instance among multiple instances that are running on the server.
Service principal names that use a port number are not affected.
To work around this problem, manually edit the msDS-AllowedToDelegateTo
attribute in the Active Directory directory service to specify the service principal name.
For example, consider the following scenario:
- You install Microsoft SQL Server 2005 Analysis Services (also known as online analytical processing, or OLAP) on a server that is named olapsrv.fabrikam.com.
- The service account under which OLAP runs on the server is FABRIKAM\OlapAdmin.
- The service principal name that is registered to this service account is MSOLAPSvc.3/olapsrv.fabrikam.com:analyze.
- This service principal name refers to an instance of SQL Server 2005 Analysis Services that is named analysis.
- The application that uses SQL Server 2005 Analysis Services runs on a Windows Server 2003 R2-based server that is named appsrv.fabrikam.com. The application is installed as a Windows service and runs as a Local System account.
In this scenario, you would follow these steps to use SQL Server 2005 Analysis Services on the olapsrv.fabrikam.com
If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
- Start the ADSI Edit tool. To do this, click Start, click Run, type adsiedit.msc, and then click OK.
Note ADSI Edit is part of Windows Server 2003 Support Tools package. To install this package, double-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD.
- Locate the computer object for the appsrv.fabrikam.com server.
- Right-click the computer object, and then click Properties.
- Click the Attribute Editor tab, and then double-click msDS-AllowedToDelegateTo in the Attributes list.
- In the Value to add box, type MSOLAPSvc.3/olapsrv.fabrikam.com:analyze, click Add, and then click OK two times.
Service principal names have one of the following formats.
In this format, Service
specifies the application or the service that is associated with the service principal name. Instance
specifies the server on which the application or service is installed.
In this format, the instance is better identified by appending a port number to the server name. This format lets you install multiple application instances or multiple service instances on a server. Each instance can run under a different set of credentials.
In this format, name strings are used instead of port numbers. You can use this format when an application supports named instances. One such application is SQL Server 2005 Analysis Services. This application constructs a service principal name that resembles the following: