In a previous post I talked about adding a registry key to disable strict name checking which was more of reminder than anything else for when the error “A Duplicate Name Exists”. On a previous server this was all that needed to be done but on a new server with Windows Server 2008 R2 I found I also needed to add a spn using setspn. I first received and error of a domain trust failure when trying to access a cname’d network share but then when I did a net view I received an access denied error.
To register the SPN for the DNS alias (CNAME) records, use the Setspn tool with the following syntax:
setspn -A host/your_ALIAS_name computername
setspn -A host/your_ALIAS_name.company.com computername
After registering the spn everything is working fine.
From Karan’s Blog:
“You must register the Kerberos service principal names (SPNs), the host name, and the fully-qualified domain name (FQDN) for all the new DNS alias (CNAME) records. If you do not do this, a Kerberos ticket request for a DNS alias (CNAME) record may fail and return the error code KDC_ERR_S_SPRINCIPAL_UNKNOWN.”