DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 936628 - Last Review: October 11, 2007 - Revision: 1.3

On This Page

SYMPTOMS

When you try to configure constrained delegation on a computer that is running Microsoft Windows Server 2003, the service principal name (SPN) does not appear in the list of services that can be delegated to an account.

CAUSE

This problem occurs because the Add Services dialog box requires that the service principal name is validated before it is displayed to the administrator. However, the validation process is unsuccessful when a service principal name uses a name string as an instance identifier.

Note A name string may be used to determine a unique application instance or a unique service instance among multiple instances that are running on the server.

Service principal names that use a port number are not affected.

WORKAROUND

To work around this problem, manually edit the msDS-AllowedToDelegateTo attribute in the Active Directory directory service to specify the service principal name.

For example, consider the following scenario:
  • You install Microsoft SQL Server 2005 Analysis Services (also known as online analytical processing, or OLAP) on a server that is named olapsrv.fabrikam.com.
  • The service account under which OLAP runs on the server is FABRIKAM\OlapAdmin.
  • The service principal name that is registered to this service account is MSOLAPSvc.3/olapsrv.fabrikam.com:analyze.
  • This service principal name refers to an instance of SQL Server 2005 Analysis Services that is named analysis.
  • The application that uses SQL Server 2005 Analysis Services runs on a Windows Server 2003 R2-based server that is named appsrv.fabrikam.com. The application is installed as a Windows service and runs as a Local System account.
In this scenario, you would follow these steps to use SQL Server 2005 Analysis Services on the olapsrv.fabrikam.com server.

Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  1. Start the ADSI Edit tool. To do this, click Start, click Run, type adsiedit.msc, and then click OK.

    Note ADSI Edit is part of Windows Server 2003 Support Tools package. To install this package, double-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD.
  2. Locate the computer object for the appsrv.fabrikam.com server.
  3. Right-click the computer object, and then click Properties.
  4. Click the Attribute Editor tab, and then double-click msDS-AllowedToDelegateTo in the Attributes list.
  5. In the Value to add box, type MSOLAPSvc.3/olapsrv.fabrikam.com:analyze, click Add, and then click OK two times.

MORE INFORMATION

Service principal names have one of the following formats.

Service/Instance

In this format, Service specifies the application or the service that is associated with the service principal name. Instance specifies the server on which the application or service is installed.

Service/Instance:Port

In this format, the instance is better identified by appending a port number to the server name. This format lets you install multiple application instances or multiple service instances on a server. Each instance can run under a different set of credentials.

Service/Instance:Name

In this format, name strings are used instead of port numbers. You can use this format when an application supports named instances. One such application is SQL Server 2005 Analysis Services. This application constructs a service principal name that resembles the following:
MSOLAPSvc.3/server_name.domain.com:instance_name

APPLIES TO
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Standard x64 Edition
  • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
Keywords: 
kbexpertiseadvanced kbtshoot KB936628
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support