V-79-32775-8239, V-79-32775-0005: Backup Exec is unable to register the Service Principal Name (SPN) when trying to enforce Kerberos Authentication between Backup Exec server and Remote Administration Clients (RAC)

book

Article ID: 100047432

calendar_today

Updated On:

Description

Error Message


 

Cause

When the setting 'Allow only Kerberos authentication' is enabled, the Backup Exec Management service attempts to register the Service Principal Name (SPN) in the Active Directory (AD) using the Backup Exec Service Logon Account (BESA).

Note: The BESA is the service account that is in use by Backup Exec services, specifically the Backup Exec Management Service.

 

Resolution

The registration of SPN may fail for a variety of reasons. Listed below are some of the probable causes and solutions. 

1.    Error: Failed to register the Service Principal Name ‘walter@booy.net’. User Principal Name does not exist for the Backup Exec service account ‘walter@booy.net’ in the Active Directory.

Cause:
The user principal name (UPN) for the BESA is not found in Active Directory.  The UPN is not a mandatory attribute and is likely not configured for the BESA.


Solution:
Configure a UPN for the BESA and retry the operation. 

2.    Error: Failed to register the Service Principal Name ‘BackupExecManagementService/testws2016a.booy.net:50104’. Ensure that the Service Principal Name is only linked to the Backup Exec service account. After performing this step, change the required Backup Exec setting.
 
Cause:
A duplicate SPN exists against another user account other than the BESA.

Solution:

In this case Backup Exec cannot detect which user account has the duplicate SPN and it must be deleted by the user. Retry the operation after deleting the duplicate SPN(s).

Command to manually delete SPN:-
setspn.exe -d BackupExecManagementService/:50104 \

Refer to Microsoft documentation for more information. 

3.    Error: Failed to register the Service Principal Name ‘BackupExecManagementService/testws2016a.booy.net:50104’. Ensure that Backup Exec service account is a member of Domain Admins group. After performing this step, change the required Backup Exec setting.

Cause:
The BESA is not a member of Domain Admins group and hence does not have enough privilege to register the SPN in AD.



Solution:
Add BESA to the Domain Admins group.
Restart the Backup Exec Management Service and retry the operation. 

4.    Error: Failed to register the Service Principal Name with the exception: ‘%s’. Ensure that the domain controller is accessible and the Kerberos Key Distribution Center service is running on the domain controller. For more details, refer to the Event Viewer on the Backup Exec server. 

Cause:
Backup Exec receives an unknown exception. (Picture 6)

Solution:
Reach out to Backup Exec Support team further guidance
 

Issue/Introduction

With Backup Exec 21.0, communication between the Backup Exec server and Remote Administration Clients (RAC) can be set to enforce Kerberos Authentication only. This setting can be enforced when the Backup Exec server and the RAC machines are in a domain. This setting is available in the Backup Exec under Backup Exec Settings > Network and Security > Allow only Kerberos authentication
Note: Once this checkbox is selected, Management Service starts rejecting the connection from RAC if authentication is NTLM. It starts returning an exception to the client endpoint and RAC notifies users with the below error message.

Additional Information

ETrack: 3995429
Powered by Wolken Software