-
Title
Error "Security verification was not successful for the received data" encountered in the Active Roles Web Interface -
Description
When attempting to configure the Active Roles Web Interface on a dedicated host, the following error message is encountered:
This error may also be encountered when attempting to use an existing Active Roles Web Interface after a change is made to the Active Roles Administration Service service account.
The System Event Viewer logs on the client shows Kerberos errors related to an ARAdminSVC Service Principal Name.
-
Cause
CAUSE
The ARAdminSvc Service Principal Name (SPN) is present in Active Directory but it is not on the account which is currently running the Active Roles Administration Service service.
-
Resolution
RESOLUTIONFind the account which has the ARAdminSVC SPN noted in the Kerberos error and remove it.
NOTE: For information on enabling Kerberos error logging, please see this Microsoft resource.
The easiest way to find the account that has an existing SPN is to use the setspn tool and attempt to set the same SPN on the account which is currently running the Active Roles Administration Service.
The syntax for this tool is:
setspn -S ARAdminSvc/ActiveRolesServiceHost.domain.com domain\ActiveRolesServiceAccount
If the same SPN is already present on a different account, the update will fail and display the conflicting account name.
The conflict can then be removed using the setspn tool or by modifying the servicePrincipalName attribute of the conflicting account.
-
Additional Information
Running cmdlet Connect-QADService ARSServiceServer -Proxy fails with the same error.