Why Clydesdale?
Clydesdale Software Logo

Follow Us: Twitter RSS

Go Back

CNAME’s and SPN’s: Access Denied Error

In a previous post I talked about adding a registry key to disable strict name checking which was more of reminder than anything else for when the error “A Duplicate Name Exists”.  On a previous server this was all that needed to be done but on a new server with Windows Server 2008 R2 I found I also needed to add a spn using setspn.  I first received and error of a domain trust failure when trying to access a cname’d network share but then when I did a net view I received an access denied error.


To register the SPN for the DNS alias (CNAME) records, use the Setspn tool with the following syntax:

setspn -A host/your_ALIAS_name computername

setspn -A host/your_ALIAS_name.company.com computername


After registering the spn everything is working fine.


From Karan’s Blog:

You must register the Kerberos service principal names (SPNs), the host name, and the fully-qualified domain name (FQDN) for all the new DNS alias (CNAME) records. If you do not do this, a Kerberos ticket request for a DNS alias (CNAME) record may fail and return the error code KDC_ERR_S_SPRINCIPAL_UNKNOWN.

Facebook Twitter DZone It! Digg It! StumbleUpon Technorati Del.icio.us NewsVine Reddit Blinklist Add diigo bookmark