Setting up an SPN and fixing the cannot verify the service principal name error when installing ForeFront Endpoint Protection

, , , , ,

We are currently in the process of trailing Forefront Endpoint Security along with our SCCM Deployment.  So after a few weeks of tweaking we have got our systems center deployment to a level where we are happy with it, it was time to begin installing and testing Forefront.

After beginning our installing and answering a few questions the setup begins to validate some per-requisites. Apart from having reporting services installed and configured on a SQL Server you also need to have the service account for SQL Server to be publishing its existence via a Service Principal Name or SPN. If the account doesn’t have a valid SPN entry then you will receive the following message during the per-requisites check of the Forefront setup.

Setup cannot verify the service principal name (SPN) for this account.
Ensure that there is a single valid SPN entry for this account in the
Active Directory Domain Services.

So how do we go about adding an SPN entry. We will use sqlservice as our user account. We can either do this via ADSIedit or the command prompt. Open up an elevated command prompt and enter the following command:

setspn -a MSSQLSvc/sqlserver.fqdn domain\sqlservice

with MSSQLSvc being the protocol, sqlserver the name of the Server hosting SQL Services along with your fully qualified domain name and finally the account you wish to add the SPN entry for. To check that you have successfully added the spn you can do the following:

setspn -l domain\sqlservice

which will list the account along with SPNs being advertised for that particular account.

The quicker way would be to run ADSIedit, find the account you wish to add the SPN for, right click and go properties and then under the attribute editor. From there navigate down the list until you find servicePrincipalName and click edit. You can then enter the SPN in the same format as above, which is:

MSSQLSvc/sqlserver.fqdn

And there you have it, you can continue to install Forefront without any issues so long as you meet the other requirements of the setup.


One response to “Setting up an SPN and fixing the cannot verify the service principal name error when installing ForeFront Endpoint Protection”

  1. Shannon Avatar
    Shannon

    your slash is wrong in this command for server?

Leave a Reply

More Posts

Bypass Windows 11 TPM Setup Checks

Quick one – I’m doing some testing in my home lab environment with Windows 11 and this box doesn’t have a TPM (so it’s not enabled in Hyper-V). Booting up the Windows 11 iso and trying to install will tell you that it’s unsupported. To get around that, load the setup as normal and once […]

Adding a ToolTip to a Picture Control in VB.Net

So here is a quick one. I was recently developing a small application written in VB.Net and went to add a tool tip to a picture control displaying the Windows UAC Shield but found that I couldn’t.  So after a litle poke around I found that I could initialise the ToolTip method and apply to […]

New Year, New Theme

Quick one but I’ve spent a bit of time today cleaning up the backend and loaded a new theme.  I’ve also started to clean-up older articles to make sure the fit with the new theme and block editor of WordPress (as I’ve continued to use the “classic” style for quite some time).  More articles and […]