-
Title
How to move the Service Principal Name (SPN) from a computer object to a domain user or service account -
Description
By default, the Data Governance (DGE) service runs as the "Local System" account. However, administrators may want to run the Data Governance service as a Domain user or service account instead of "Local System".
The Data Governance Service Principal Name (SPN) must be moved in Active Directory if the account used to run the Data Governance service is changed. If the SPN is not moved, the Data Governance agents will not be able to connect to the Data Governance service and the following error will be recorded in the Data Governance agent log:
"Message: Failed to register with DGE Server. Will keep trying.
System.ServiceModel.Security.SecurityNegotiationException: A call to SSPI failed, see inner exception.
--> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception.
--> System.ComponentModel.Win32Exception: The target principal name is incorrect." -
Cause
If a service account other than "Local System" is used for the Data Governance service, the SPN must be moved in Active Directory.
NOTE: This applies if a service account other than "Local System" is specified during the initial configuration or if the Data Governance service account is changed after the initial configuration. -
Resolution
To move the SPN in Active Directory:
NOTE: This procedure applies to Data Governance Edition 8.0 (and above)
1. Stop the Data Governance service.
2. Run the following setspn commands from a Command line prompt on a Domain Controller or any machine with the AD tools installed:Run the following command to remove the SPN from the computer object:
setspn -D DataGovernance.Server(DEPLOYMENT)/SERVER.DOMAIN.TLD SERVERNAME
For example:
setspn -D DataGovernance.Server(DEFAULT)/MYDGESERVER.MYDOMAIN.local MYDGESERVER
Run the following command to add the SPN of the service account:
setspn -A DataGovernance.Server(DEPLOYMENT)/SERVER.DOMAIN.TLD USERNAME
For example:
setspn -A DataGovernance.Server(DEFAULT)/MYDGESERVER.MYDOMAIN.local MYUSER
- Restart the Data Governance service.
Where:DEPLOYMENT is the deployment name assigned to the Data Governance deployment.
SERVER.DOMAIN.TLD is the FQDN of the Data Governance server where the Data Governance service is installed.
SERVERNAME is the short name of the Data Governance server.
USERNAME is the SAM account name of the service account.
For more information, please refer to the Deployment Guide, Data Governance service deployment methods.