IT Core Blog

Never stop questioning. Curiosity has its own reason for existing…

Domain Controllers Warning Event ID: 10154

with 10 comments

Log Name: System
Source:  Microsoft-Windows-WinRM
Date:  1/1/2010 1:22:43 PM
Event ID10154
Task Category: None
Level:  Warning
Keywords: Classic
User:  N/A
Computer: dcname.domain.tld
Description:
The WinRM service failed to create the following SPNs: WSMAN/dcname.domain.tld; WSMAN/dcname.
Additional Data
The error received was 8344: %%8344.
User Action
The SPNs can be created by an administrator using setspn.exe utility.

I was getting this error at startup in new 2008 R2 Domain Controllers. Apparently the WinRM attempts to create 2 SPNs (WSMAN/dcname.domain.tld and WSMAN/servername) after startup process.

Since that WinRM runs under “Network Service” account, I was able to fix this warning by granting the  “Validated Write to Service Principal Name” permission to the NETWORK SERVICE using the ADSIEDIT.msc. This will allow WinRM to auto create the necessary SPNs on that domain controller. After granting this permission, re-sync all DCs and do a reboot to each domain controller where you did the change, a couple of minutes after that reboot you’ll see that the warning is gone and the required SPNs were created successfully.

Note: I didn’t had the WinRM IIS Extension installed, but I still saw the warning message. If you plan to use WinRM IIS Extension, you need to use “Add features” from Server Manager, reboot the system and run WinRM from cmd to configure it (e.g: WinRM qc).

To learn more about SPNs, click here and here.
To learn more about WinRM, click here andf here.
To learn more about Network Service account click here and here.

🙂

Advertisements

Written by IT Core

January 2, 2010 at 12:00 AM

10 Responses

Subscribe to comments with RSS.

  1. How did you grant the permission to NETWORK SERVICE in adsiedit.msc? What object did you select the security tab so you could set permissions for NETWORK SERVICE? Thanks.

    You wrote:
    “I was able to fix this warning by granting the “Validated Write to Service Principal Name” permission to the NETWORK SERVICE using the ADSIEDIT.msc.”

    wysiwyg

    March 8, 2010 at 4:02 AM

    • Hi,
      Use ADSIEDIT.msc, choose Default naming context and scroll down to the Domain Controllers OU, right-click the Domain Controller object that is showing the warnings and select properties, select security tab and click in the advanced button, in the advanced security settings menu, click add, type Network Service and hit ok. After that you’ll see the menu that is shown in this blog entry 🙂

      IT Core

      March 8, 2010 at 11:04 PM

      • Thanks for the update!

        wysiwyg

        March 9, 2010 at 2:48 AM

      • Worked for me! Thanks for publishing this tip.

        PizzaGeek

        April 23, 2010 at 6:52 PM

      • I’d rather know the reason why it’s occuring and if the network service is supposed to have these rights by default. Otherwise it feels like changing it would be the wrong thing to do

        andy

        December 24, 2010 at 12:42 AM

  2. Thanks! It was very useful.

    Matyas

    April 27, 2010 at 10:50 AM

  3. Got this after I rebooted the primary 2003 DC on my forest. I have never seen this before and all google hits on this lead to fairly new reports, so I reckon it is caused by some update.

    Sepp

    April 28, 2010 at 4:31 PM

  4. I have followed this and it has got rid of the error message. Great.

    Following the instructions I get the feeling I have just created a system account of some sort with ADSIEdit. In Fact I can now see there are two NETWORK SERVICE accounts, one inherited from my domain and the new one I have created.

    Should I be concerned that I have created and account that Windows should or may try to in the future and fail causing some future instability.

    Jo

    Jo Cox

    May 5, 2010 at 1:28 PM


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: