Discussion:
Problem with Virtual Server on SBS 2K3 R2 & client server
(too old to reply)
SD
2007-05-01 21:17:32 UTC
Permalink
I've just installed VS2K5 R2 on an existing Small Business Server 2K3
R2 with a client Windows Server 2K3. This is a testbed server I'm
using to play with Virtual Server. I only installed the Admin website
on the SBS install (under the Local System account) with the intent of
administering both machines from SBS. Now, when I open the Admin
website I see the following error:

"The service principal names for Virtual Server could not be
registered. Constrained delegation cannot be used until the SPNs have
been registered manually. Error 0x80072098 - Insufficient access
rights to perform the operation."

Followed by:

"Virtual Server successfully started."

If I try to switch Virtual Servers using the Virtual Server Manager
using the dns name or the IP, I get the following error:

"Could not connect to the Virtual Server on "ts.test.local". The
server is unavailable.
You can specify an alternate Virtual Server below."

It looks like the problem switching to the alternate VS in the VS
Admin website if because constrained delegation won't work unless the
SPNs are registered manually as described in KB890893.

My questions are:

1) Is it OK to install Windows Server 2K3 SP1 Support Tools on SBS &
manually register SPNs, using Setspn.exe or ADSI Edit, as described in
KB890893?

2) Would it be best to just ditch the idea of managing both machines
from the SBS server & install IIS/VS Admin website on the client
server too?

Thanks for any help!
SD
Charlie Russel - MVP
2007-05-01 22:36:17 UTC
Permalink
I find it more bother than it's worth to use a single VS admin web site.
That being said, I have done it without issue.

As for the support tools - They are on CD2 of the SBS media. Install from
there.
--
Charlie.
http://msmvps.com/xperts64
http://mvp.support.microsoft.com/profile/charlie.russel
Post by SD
I've just installed VS2K5 R2 on an existing Small Business Server 2K3
R2 with a client Windows Server 2K3. This is a testbed server I'm
using to play with Virtual Server. I only installed the Admin website
on the SBS install (under the Local System account) with the intent of
administering both machines from SBS. Now, when I open the Admin
"The service principal names for Virtual Server could not be
registered. Constrained delegation cannot be used until the SPNs have
been registered manually. Error 0x80072098 - Insufficient access
rights to perform the operation."
"Virtual Server successfully started."
If I try to switch Virtual Servers using the Virtual Server Manager
"Could not connect to the Virtual Server on "ts.test.local". The
server is unavailable.
You can specify an alternate Virtual Server below."
It looks like the problem switching to the alternate VS in the VS
Admin website if because constrained delegation won't work unless the
SPNs are registered manually as described in KB890893.
1) Is it OK to install Windows Server 2K3 SP1 Support Tools on SBS &
manually register SPNs, using Setspn.exe or ADSI Edit, as described in
KB890893?
2) Would it be best to just ditch the idea of managing both machines
from the SBS server & install IIS/VS Admin website on the client
server too?
Thanks for any help!
SD
SD
2007-05-02 00:04:46 UTC
Permalink
Thanks for the response Charlie, I'm beginning to agree with you. Are
you aware of any issues that could result from manually registering
the SPNs on SBS?
SD

On May 1, 5:36 pm, "Charlie Russel - MVP"
Post by Charlie Russel - MVP
I find it more bother than it's worth to use a single VS admin web site.
That being said, I have done it without issue.
As for the support tools - They are on CD2 of the SBS media. Install from
there.
--
Charlie.http://msmvps.com/xperts64http://mvp.support.microsoft.com/profile/charlie.russel
Charlie Russel - MVP
2007-05-02 06:02:39 UTC
Permalink
No, but I haven't had to do it myself, so I'm not the best judge.
--
Charlie.
http://msmvps.com/xperts64
http://mvp.support.microsoft.com/profile/charlie.russel
Post by SD
Thanks for the response Charlie, I'm beginning to agree with you. Are
you aware of any issues that could result from manually registering
the SPNs on SBS?
SD
On May 1, 5:36 pm, "Charlie Russel - MVP"
Post by Charlie Russel - MVP
I find it more bother than it's worth to use a single VS admin web site.
That being said, I have done it without issue.
As for the support tools - They are on CD2 of the SBS media. Install from
there.
--
Charlie.http://msmvps.com/xperts64http://mvp.support.microsoft.com/profile/charlie.russel
SD
2007-05-02 08:13:35 UTC
Permalink
After following MS steps for verifying SPNs aren't registered & then
registering them as listed here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;890893

I'm still getting the error message :

"The service principal names for Virtual Server could not be
registered. Constrained delegation cannot be used until the SPNs have
been registered manually. Error 0x80072098 - Insufficient access
rights to perform the operation."

Further, I'm still not getting the correct response to "setspn -L
server". Specifically, the last line as described in the MS Doc:

"vmrc/servername:VMRC_Port vmrc/server.domain.com:VMRC_Port"

The result I get is "vmrc/servername:VMRC_Port". Note that in the MS
doc, they give 2 options for registering SPN manually: adsiedit.msc or
setspn.exe. The steps listed for adsiedit don't include registering
vmrc AT ALL. The steps listed for setspn.exe result in the vmrc /
servername:port that I'm getting now, but apparently not vmrc/
FQDN:port. WTF?

To add to the mystery, after I register the SPNs I need to configure
constrained delegation. I reviewed the instructions listed here:

http://www.microsoft.com/technet/prodtechnol/virtualserver/2005/proddocs/vs_deploy_delegation.mspx?mfr=true

However, when I look under "Computers" in "Active Directory Users and
Computers" there are no computers listed. The only place the SBS
server (web server) is listed is under Domain Controllers. The other
physical server running VS(VS only) is listed under
MyBusiness>Computers>SBSServers. When I click Properties of either one
of these computers, there is no "delegation tab", as referenced in the
documentation.

This should be simpler! I can't imagine its an SBS thing. Has anyone
successfully manually registered the SPNs as described in the MS doc?
Has anyone gotten rid of the SPN error in the VS Admin website? Has
anyone successfully configured constrained delegation on a SBS server?
Obviously not by following the docs I listed. Someone please throw
this bewildered hack a bone!
SD

Loading...