ITMS 8.x - After Server restart you notice a Warning event in SMP Logs regarding SPN configuration not being registered Error Code 8344.
Article ID: 412320
Updated On:
Products
Issue/Introduction
After SMP Services restart or a full server reboot, the following Warning can be found in SMP Logs.
Environment
ITMS 8.7.x and higher
Cause
After restarting the SpnManager (AexSVC core module) would try to register SPN attributes in the Domain Controller to enable automatic fallback to NTLM if authentication with Kerberos authentication fails.
And in case if SMP Service account is not an account having this security privilege (not Domain Administrator), it would fail and log this warning event.
Resolution
In this scenario, the Service account was a part of an AD Group that does not have rights to write to the service principal name:
Further, it's required to check in Active Directory - if the SMP Server computer record has proper values in Attributes for servicePrincipalName:
And if values like: SMP/#shortHostname and SMP/#fqdnHostname are listed - then it means that the fallback mechanism -> Symantec Management Agent service - during startup has set those values (those attributes are also set on Site Servers (for Task and Package services).
As the AexSVC service is running under the specific Domain account (which might have no privileges), the SMA Service is running under the System account, which would use Computer SELF permissions to set the SPN attributes:
Thus, if values are properly set in DC, then this particular Warning event message can be safely ignored.
Additional Information
App Identity (AppID) Credential suggested requirements can be found in KB https://knowledge.broadcom.com/external/article/181041
Feedback
