- Remove From My Forums
-
Question
-
I am trying a add a SPN using the setspn tool.
the user is a domain user with Validated write to service principal name permissions on the computer objects in the domain.
The domain admin assigned the privileges using the steps mentioned in <http://technet.microsoft.com/en-us/library/cc731241(WS.10).aspx#BKMK_Del>
I get an error Failed to assign SPN 0x2098/8344 — insufficient access rights to perform the operation.
Do I need any additional permissions ?
Answers
-
Hi,
Do you want to delegate rights to add SPN’s on Computer Account or add SPN on User Accounts? By Design, if you select user objects ( Domain/User Properties —>
Security Tab —> Advanced —> Add User —> Apply onto —> User Objects), SPN related PermissionsProperties are not visible.They are only visible if you have selected Computer Objects. The SPN related Permissions are as follows:
Validated write to service principal name
Read servicePrincipalName
Write servicePrincipalName
If the error occurs when trying to add SPN’s on Computer Account, please enable all the above three permissions and check the issue again. If you would like to add
SPN on User Accounts, we need other methods to achieve this.Thanks.
Nina
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
-
Proposed as answer by
Sunday, March 13, 2011 9:53 PM
-
Marked as answer by
Nina Liu — MSFT
Monday, March 14, 2011 1:44 AM
-
Proposed as answer by
On a Windown Server 2008 Domain Controller, I’m attempting to add a Service Principal Name (SPN) to a user account ‘Postmaster’ in order to enable Kerberos authentication from a Communigate email server. The command line I’m using is of the form:
setspn -a imap/email-domain.com windows-domainpostmaster
When I run this command, I get the result:
Registering ServicePrincipalNames for CN=Postmaster,OU=Users,DC=windows-domain,DC=com
imap/email-domain.com
Failed to assign SPN on account 'CN=Postmaster,OU=Users,DC=windows-domain,DC=com', error 0x2098/8344 ->
Insufficient access rights to perform the operation.
This is most curious, since I am logged in as a user in the group Domain Admins. I checked effective privileges for this account, and I can’t see any that are not included. I also tried a different administrator account, with the same result.
Just to rule it out, I also added the user Postmaster to Domain Admins, but no change to the result.
I am running this command directly on the Domain Controller instance. I am able to query SPNs with no difficulty, I just can’t seem to write them.
I also attempted to use ktpass to indirectly set the SPN on the desired user, but received a warning:
WARNING: Unable to set SPN mapping data.
…which I assume is a symptom of the same insufficient access problem.
What could be causing this error?
Windows Server
- 26.05.2016
- 3 597
- 0
- 18.03.2019
- 1
- 1
- 0
- Содержание статьи
- Исправление ошибки
- Добавить комментарий
Если вы работаете с серверами, которые являются контроллерами домена Active Directory, то в процессе их эксплуатации вы можете столкнуться с ниже описанной ошибкой, про исправление которой и пойдет речь в этой статье.
Исправление ошибки
При передачи роли хозяина схемы от одного сервера к другому может возникнуть следующая ошибка:
Возвращенная ошибка Win32 0x2098(Для выполнения операции права недостаточны.)На английском языке она выглядит так:
Error shows : Win32 error returned is 0x2098(Insufficient access rights to perform the operation).Решается проблема очень просто — добавлением пользователя в группу «Администраторов схемы» («Schema Admins«). После добавления пользователя в группу необходимо перелогиниться, и уже после этого пробовать повторить операцию передачи роли.
- Remove From My Forums
-
Question
-
Recently I have installed sql server 2012 in one of the server. Earlier there is SSAS in this server, I completely uninstall the existing one and reinstalled the SQL server. after that I am able to connect SSMS into that server, but I am unable
to connect the SQL server out side of the server I am from my laptop. I am getting below error.When I checked the SPN names in the server I got below error.
Duplicate SPN found, aborting operation!
I am trying to delete the duplicate SPN,but i am getting below error.
Failed to remove SPN on account ‘CN=CNName SQL,OU=UserAccounts,DC=DCNAME,DC=corp,DC=DCNAME,DC=com’,
error 0x2098/8344 -> Insufficient access rights to perform the operation.How can I resolve this issue? please help me on this.
Thanks,
Raj. K
-
Edited by
Friday, October 16, 2015 8:29 PM
-
Edited by
Answers
-
The duplicate SPN message suggest that the client is unable to determine where to try and make the connection to.
You first of all need to clean up the duplicate SPNs in Active Directory
Syntax for SetSPN.exe The syntax for SetSPN.exe is: setspn { -A SPN | -D SPN | -L } service_account Arguments -A Adds the specified SPN to the account. -D Deletes the specified SPN to the account. -L Lists all SPNs registered to the account.Remove the SPN related to your SQL Server instance and then restart SQL Server to ensure it then re-registers its SPN.
Also check that the server names resolves correctly in DNS — use ping <IP Address> and ping <FQDN> and check that these correlate to each other. Also use NSLOOKUP to confirm the name resolution in DNS
Martin Cairney SQL Server MVP
-
Proposed as answer by
Lydia ZhangMicrosoft contingent staff
Wednesday, October 21, 2015 3:30 AM -
Marked as answer by
Lydia ZhangMicrosoft contingent staff
Wednesday, October 21, 2015 8:26 AM
-
Proposed as answer by
-
Failed to remove SPN on account ‘CN=CNName SQL,OU=UserAccounts,DC=DCNAME,DC=corp,DC=DCNAME,DC=com’,
error 0x2098/8344 -> Insufficient access rights to perform the operation.How can I resolve this issue? please help me on this.
Thanks,
Raj. K
Lydia Zhang
TechNet Community Support
-
Proposed as answer by
Lydia ZhangMicrosoft contingent staff
Wednesday, October 21, 2015 3:30 AM -
Edited by
Lydia ZhangMicrosoft contingent staff
Wednesday, October 21, 2015 3:30 AM -
Marked as answer by
Lydia ZhangMicrosoft contingent staff
Wednesday, October 21, 2015 8:26 AM
-
Proposed as answer by
Tratcher
added
area-security
Includes: Security, OAuth, OIDC
and removed
area-runtime
Includes: Azure, Caching, Hosting, Middleware, Websockets, Kestrel, IIS, ANCM, HttpAbstractions
servers-kestrel
labels
Apr 5, 2020
The 404 is the exception handler trying to redirect to /Home/Error which doesn’t seem to exist in this app.
The actual exception reported in the logs is:
System.InvalidOperationException: An anonymous request was received in between authentication handshake requests.
at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.Negotiate.NegotiateHandler.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
Which matches #20100 (closed as stale). There wasn’t enough information before to debug it, but it looks like we have more now…
When you’re doing this authentication are you using the machine’s fully qualified active directory name? Using an alternate name isn’t going to work unless you’ve set up proper SPNs.
From the logs:
Request 1) Anonymous, authorization failed, Challenge 401 Negotiate
Request 2) Authorization: Negotiate (kerberos(?) blob), incomplete handshake, 401 Negotiate (blob)
Request 3) Authorization: Negotiate (blob), incomplete handshake, 401 Negotiate (blob)
Request 4) Anonymous, exception as shown above.
So the main issue seems to be that the server thinks auth is still in progress but the client has given up. This is likely a misconfiguration related to SPNs or similar. It’s odd that the client would send another anonymous request after three consecutive 401s.
@blowdart any idea how to get the associated schannel events to get a more specific explanation here?
Note Http.Sys may have worked because it uses kernel mode authentication which means SPNs are configured on the machine account. With Kestrel it’s using user mode which means the SPNs must be configured on the user account instead.
Hi, Chris!
«When you’re doing this authentication are you using the machine’s fully qualified active directory name?» — yes. In client browser i used full server name http://example.com:5000/ and have auth error.
When i use browser on server — all urls variants works fine: http://localhost:5000, http://example:5000 and http://example.com:5000.
For clear — 404 is strange, but not a root trouble. Problem is authentication.
Postman failed on auth without any additional potential requests (like js, css, favico and other).
To reduce any browser specific network activity i tried powershell:
PS C:UsersYustos> $url = "http://example.com:5000" PS C:UsersYustos> $wc = New-Object System.Net.WebClient PS C:UsersYustos> $wc.UseDefaultCredentials = $true PS C:UsersYustos> $response = $wc.DownloadString($url) Exception calling "DownloadString" with "1" argument(s): "The remote server returned an error: (401) Unauthorized." At line:1 char:1 + $response = $wc.DownloadString($url) + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : WebException
And here is server log:
auth_log_by_powershell.txt
Will fiddler logs help you?
Thank you for advice!
PS: i tried to apply setspn, but failed:
>setspn -S HTTP/example.com Yustos Checking domain DC=---,DC=--- Registering ServicePrincipalNames for CN=Yustos,OU=Computers,OU=Clients,DC=---,DC=--- HTTP/example.com Failed to assign SPN on account 'CN=Yustos,OU=Computers,OU=Clients,DC=---,DC=---', error 0x2098/8344 -> Insufficient access rights to perform the operation.
I suppose this is not important.
Okay, i am collected fiddler logs for powershell with UseDefaultCredentials calls (HTTP-bodies excluded, tokens shortened).
Success with HTTP.SYS:
success_http_sys.txt
Fail with Kestrel negotiate:
fail_kestrel_negotiate.txt
I am not an Active Directory administrator, so setspn unpermitted. And i believe, that i should not ask administrator to register SPN for every test scenario or dynamically generated urls.
So my way is HTTP.SYS or other authentication mechanism.
Last thing is error code. In the attached failure-logs was 400 error after series of handshakes.
But sometimes returned error 404 without any handshake:
Here details for 404:
GET http://example.com:5000/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; ru-RU) WindowsPowerShell/5.1.18362.628
Host: example.com:5000
HTTP/1.1 404 Not Found
Date: Sun, 05 Apr 2020 07:29:13 GMT
Server: Kestrel
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Looks like is one-after-one 400, 404, 400, 404…
Well, confirm, please, that setspn is the strong requirement for Negotiate and close issue.
Thank you!
Can you share the server logs for the 400 scenario?
Yes, SPNs are a strong requirement for Negotiate/Kerberos. When you run on the same machine it always defaults to NTLM which does not have the same SPN requirements. When it runs with HttpSys from a separate machine it’s using kernel mode auth and the machine account which already has SPNs configured by default. When it’s using Kestrel and user-mode auth from a remote machine it can’t find any SPNs in the user account, tries to fall back to NTLM, but then gives up after a few round trips (not sure why yet).
@JunTaoLuo this would be a good situation for you to repro with your current setup.
The 404 is likely the same redirect to /home/error as before. The server logs would show that.
I did test again and this was my false — 400/404 problem is valid when i use fiddler as proxy to client-side requests sniffing.
This command will produce 400/404 errors:
Invoke-WebRequest -Uri "http://example.com:5000" -UseDefaultCredentials -Proxy http://localhost:8888
But this is stable 401:
Invoke-WebRequest -Uri "http://example.com:5000" -UseDefaultCredentials Invoke-WebRequest : The remote server returned an error: (401) Unauthorized. At line:1 char:1 + Invoke-WebRequest -Uri "http://example.com:5000" -UseDefaultCredent ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebExc eption + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
Here is server log for 401 without proxy (single call):
server.txt
Anyway, i can not use Kestrel negotiate with SPN’s. I want to use dynamic subdomains and i have no opportunity to dynamically register SPN’s in Active Directory. For my case HTTP.SYS and IIS works fine 
Chris, thank you for explanation about SPN! I’m sorry for your time.
FYI, the 401s we were seeing seem to be caused by the missing SPNs. I am able to reproduce the 401 errors on my local VMs when the SPNs are not configured and I am able to run your repro project successfully when I do have the SPN configured correctly. I think all the questions here have been resolved, please let us know if you have any other issues @Yustos
@JunTaoLuo did you ever see the InvalidOperationException?
Triage: @JunTaoLuo is going to take a quick look at a few other clients (Legacy Edge/Edgium, etc.) to see if we can repro the InvalidOperationException. We do require an SPN though so I don’t think there’s much we can do about that. Using HttpSys is probably a better option in this scenario.
@JunTaoLuo was able to identify that Edge Chromium does indeed produce this error when SPNs aren’t configured. We’re forwarding the details on to that team for further investigation.
analogrelay
added
the
External
This is an issue in a component not contained in this repository. It is open for tracking purposes.
label
May 7, 2020
JunTaoLuo
added
the
blocked
The work on this issue is blocked due to some dependency
label
Jun 18, 2020
When attempting to add an SPN to a service account for SQL Server, you may get the following error if you are not a domain admin:
setspn -S MSSQLSvc/VSQLDEV01.DOMAIN DOMAINSVCACCOUNT.SVC Checking domain DC=..,DC=....,DC=..,DC=.. Registering ServicePrincipalNames for CN=vsqldev01 svc,OU=Service Accounts,OU=Shared Resources,OU=..,DC=..,DC= ...,DC=..,DC=.. MSSQLSvc/VSQLDEV01.DOMAIN Failed to assign SPN on account 'CN=vsqldev01 svc,OU=Service Accounts,OU=Shared Resources,OU=E..,DC=.,DC=... ,DC=..,DC=..', error 0x2098/8344 -> Insufficient access rights to perform the operation.
If your lucky enough, then get your domain admin to give you the required permissinos against the OU in Active Directory. They would need to do the following:
On a Domain Controller, run adsiedit.msc (Doing this via the normal dsa.msc console will not expose the spn permissions that need to be added)
Then run the following sequence of actions:
Right-Click on the OU and select Properties Select the "Security" tab Select the "Advanced" tab Select the "Add" button Enter the security principal name security principal Ok Properties tab Apply to: Descendant User objects Permissions: Read servicePrincipalName - Allow Write servicePrincipalName - Allow Ok Ok Ok
I am trying to set a spn using PowerShell for my service account. But I receive «error 0x2098/8344 -> Insufficient access rights to perform the operation»
All results point me towards adding allow on Read/Write ServicePrincipalName (image 2) which I have set. Is there some other permission I am lacking?
- sql-server
asked Jan 23 at 21:25
wetinwetin
3421 gold badge2 silver badges13 bronze badges
1 Answer
answered Jan 24 at 7:00
1
-
Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
Jan 25 at 9:54
Azure AD Connect is a tool for connecting on-premises identity infrastructure to Microsoft Azure AD. The wizard deploys and configures pre-requisites and components required for the connection, including sync and sign-on. Azure AD Connect encompasses functionality that was previously released as Dirsync and AAD Sync. Here is a guide on how to synchronize your on-premises AD with Azure Active Directory using the Azure AD Connect tool, and how to use the built-in AAD Connect troubleshooting tool. Azure AD Connect uses 3 accounts in order to synchronize information from on-premises or Windows Server Active Directory to Azure Active Directory. These accounts are: AD DS Connector account used to read/write information to Windows Server Active Directory, and ADSync service account used to run the synchronization service and access the SQL database, and Azure AD Connector account used to write information to Azure AD.
Azure AD Connect is the Microsoft tool designed to meet and accomplish your hybrid identity goals. It provides the following features:
- Password hash synchronization: A sign-in method that synchronizes a hash of a users on-premises AD password with Azure AD.
- Pass-through authentication: A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn't require the additional infrastructure of a federated environment.
- Federation integration: Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. It also provides AD FS management capabilities such as certificate renewal and additional AD FS server deployments.
- Synchronization: Responsible for creating users, groups, and other objects. As well as, making sure identity information for your on-premises users and groups is matching the cloud. This synchronization also includes password hashes.
- Health Monitoring: Azure AD Connect Health can provide robust monitoring and provide a central location in the Azure portal to view this activity.You may also encounter issues adding the directories with the service account. You can still add the on-premise environment (directory) even without having the right permission tied to the service account. But you may find in the “Synchronization Service Manager“, the following error “permission issues with error code 8344: insufficient access rights to perform the operation”.
To resolve this issue, please provide the necessary permission to the service account on the AD Connect Server by adding the service account into the Administrators Group (Built-in OU). It is recommended to let Azure AD Connect or you can specify a synchronization account with the correct permission. I pre-provisioned one and this is absolutely fine!
Most times, this isn’t sufficient, you will have to add the service account as a member of the Administrator’s group in Active Directory.
You cannot use your Enterprise or Domain administrator account for your AD Forest account. 
This resolved my import issue. Please proceed to the Azure Synchronization Service Manager server and rerun the synchronization and check the Sync status whether it is completed without error.
Note: If you are using Password Hash Sync (PHS), you may want to use PowerShell script to configure the required permission or by enabling inheritance for the specific users. To resolve this issue, perform the following steps
- Run
Active DirectoryInheritance script to get a list of users on which inheritance is blocked. Once you have the list pls make sure that you allow inheritance on those users/groups. - To allow inheritance, Make sure Advance Features are enabled in View then go to user properties –>
Security–>Advanced–> Select the check box “to Include inheritable permissions from this object’s parent”
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.
Skip to content
If your sync service completed with error and the error code is shown below;
Error 8344: Permission Issue Insufficient Access Rights to Perform the Operation
It means that the service account that you used to add the domain during the wizard setup does not have the correct/necessary permissions.
In the wizard, is this part
Note:
Please do take note that this is only for Password Synchronization and Password Writeback, for further extend permission please review the references below.
Step by step;
- Provide the necessary permission to the service account
- Add the service account into the Administrators Group (Built-in OU)
- At the forest level > Properties > Security > Add > service account
- Next, select the service account, scroll to the permission and check “Replicate Directory Changes All” and “Replicate Directory Change“
- Due to password writeback will be turn on too, another permission you have to give to this service account is the “Change Password” and “Reset Password” under the Advanced
- Select the service account > Advanced > Select Add > Select Principal > Service account > Descendent User Objects > Check the box for “Change Password” and “Reset Password”
- Save your changes
- Refresh
- Head to your AADC server and rerun the synchronization
- Check the Sync status whether it is completed without error
- The End
References:
- https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions
- https://mstechtalk.com/step-by-step-azure-ad-sync-installation-guide-part-1/
Appendix:
- ADUC – Active Directory Users and Computers
- ADS – Active Directory Sync
- OU – Organization Unit
- AADC – Azure Active Directory Connect
Do check out the latest blog post for this issue here https://sabrinaksy.com/2021/01/24/azure-ad-connect-event-code-8344-permission-issue/
