How to prevent the error Failed to Register Service Principal Name (SPN) in Dynamics AX, when not using Kerberos
I was recently working with a client who wasn’t using Kerberos authentication in their Dynamics AX 2012 R3 environment. The IT admin did not like seeing the following error being logged in their environment:
Object Server 01: RPC error: Failed to register service principal name (SPN): '29D16D8E-32D1-433B-B77F-987C2408CEA4/VOYAGER.demo.local:2712'
Object Server 01: RPC error: Failed to unregister service principal name (SPN): '29D16D8E-32D1-433B-B77F-987C2408CEA4/VOYAGER.demo.local:2712'
From the Windows Application Event Log, if you filter on the following you can see if this error exists in your environment:
In the event log, you will find 1 message per startup and shutdown of the AOS service.
Startup
Shutdown
The IT admin did not want this message being logged and had followed this enhanced security with Kerberos blog to prevent the messages from being logged without success. The IT admin was adamant that they would never use Kerberos in their AX environment and wanted to prevent the error message from logging.
I logged into my test environment and followed the blog, well, really I followed the screen shot and sure enough simply setting the authn_service value to 9 did not prevent the message from being logged.
Here is a screen shot of the key set in my environment:
And here is the message still being logged after a restart of the AOS:
After doing some additional testing I discovered that I had to create both of the following registry values in the following location authn_service and authn_regspn.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dynamics Server\6.0\01\[Debug]
The [Debug] location will be different based on your active Server configuration.
Steps to create the values:
- Right click on HKLM\SYSTEM\CurrentControlSet\Services\Dynamics Server\6.0\01\[Debug]
- Select String Value
- Name it: authn_service
- Give it a value of 9 (Negotiate)
- Repeat steps 1 and 2
- Name it: authn_regspn
- Give it a value of 0 (do not register spn)
The end configuration should look like this:
Keep in mind that this disables Kerberos authentication for Dynamics AX. If you decide to implement Kerberos later on you will need to remove the registry keys (or change their values rather) to enable AX to be able to use Kerberos. On the flip side of this, if you wish to force Kerberos authentication you could change the values to 16 (Kerberos) and 1 (register spn) respectively.
So now after restarting the AOS, the Application event log will not log the SPN error message. Here is the unregister SPN error message after made the changes and restarted the AOS for them to take effect:
And now there is no SPN error on startup (or the next shutdown) now that the new registry key values have been picked up by the AOS:
Under the terms of this license, you are authorized to share and redistribute the content across various mediums, subject to adherence to the specified conditions: you must provide proper attribution to Stoneridge as the original creator in a manner that does not imply their endorsement of your use, the material is to be utilized solely for non-commercial purposes, and alterations, modifications, or derivative works based on the original material are strictly prohibited.
Responsibility rests with the licensee to ensure that their use of the material does not violate any other rights.