Windows print spooler making indecipherable kerberos spn request

Brass Contributor

I've been looking at eliminating NTLM use in my domain, and noticed that Windows clients' print spooler service is falling back to using NTLM to reach the print server. Digging deeper, it's making a request that I can't decipher at all...

 

"The service principal name (SPN) krbtgt/NT Authority@<my domainfqdn> is not registered, which caused Kerberos authentication to fail: 0x7. Use the setspn command-line tool to register the SPN."

 

Kerberos auth works for everything else in the domain, I'm ONLY seeing this from the print spooler.

3 Replies
I'm having the same issue. Any luck?
the print spooler runs as system, so it uses the HOST SPN. Make sure the server which has print services is a server and has the host spn for it's name registered
See the article below. Perhaps it will answer some of your questions.

A Print Nightmare Artifact - krbtgt/NT Authority
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/a-print-nightmare-artifact-kr...