0

We are trying to set up SPNs for SQL SSRS in an environment that only has Azure AD. If I ran the SETSPN -S

MSCRMSandboxService/TESTCRM domain\crmtestserv

SETSPN -S MSCRMSandboxService/TESTCRM.symposium.org domain\crmtestserv I always get the message that my account has insufficient right even if the account is in the AAD DC Administrators group.

So what would be the process to set a SPN while using Azure AD?

Faruman
  • 13
  • 2
  • Did you try running as *Run as Administrator* see https://social.technet.microsoft.com/Forums/lync/en-US/1262a5f8-20da-4df2-8ced-42529ece89fa/setspn-to-add-spn-results-in-error-8344-insufficient-access-rights?forum=winserverDS – Jayendran Aug 20 '18 at 03:21
  • Thanks for your reply. Yes I tried to run the Command prompt as administrator, however I still get the same error message. – Faruman Aug 20 '18 at 04:15
  • So you are using AAD Domain Services? – juunas Aug 20 '18 at 05:52
  • Yes, exactly we use AAD. – Faruman Aug 20 '18 at 06:14
  • Have you enabled three permissions: Validated write to service principal name, Read servicePrincipalName, and Write servicePrincipalName? – SunnySun Aug 20 '18 at 06:30
  • Thank you very much for your answer. Yes the user has all three permissions. However it is still not working. Any further suggestions on how to solve this? – Faruman Aug 20 '18 at 07:12
  • Hi @Faruman - did you ever get an answer or manage to resolve this? I've been stuck on the same problem for a couple of days now! – Greg Jackman Nov 04 '21 at 03:23

1 Answers1

0

You must create new Organizational Units (OU) and place the computer and user accounts in those. Accounts in the AAD DC Computers and AAD DC Users OUs can't be configured in certain ways, inluding with setspn.

https://learn.microsoft.com/en-us/azure/active-directory-domain-services/deploy-kcd

You can create a new OU and move computers and users there with Active Directory Administration Center on a Windows VM joined to the domain. It's also worth noting that the service account you use must be created within something like Active Directory Administration Center - accounts synchronized via Azure AD won't work.

Max Lang
  • 1
  • 1