I was getting an error at startup on a new Windows 2008 R2 Domain Controller (DOM002). Apparently the WinRM attempts to create two SPNs (WSMAN/DOM002.EN.LOCAL and WSMAN/DOM002) at startup.
Log Name: System Source: Microsoft-Windows-WinRM Event ID: 10154 Level: Warning Keywords: Classic User: N/A Description: The WinRM service failed to create the following SPNs: WSMAN/DOM002.EN.LOCAL; WSMAN/DOM002. Additional Data The error received was 8344: %%8344. User Action The SPNs can be created by an administrator using setspn.exe utility.
Since WinRM runs under “Network Service” account, I was able to fix this warning by granting the “Validated Write to Service Principal Name” permission to the NETWORK SERVICE using ADSIEDIT.msc. This will allow WinRM to auto create the necessary SPNs on the domain controller.
Use Powershell/cmd to accomplish the result:
dsacls "CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL" /G "S-1-5-20:WS;Validated write to service principal name"
Or you could make the appropriate adjustments through ADSIEDIT.
To learn more about SPNs, click here and here.
To learn more about WinRM, click here andf here.
To learn more about Network Service account click here and here.
