I login to my Windows 10 PCs (one desktop and one laptop) using my Microsoft account credentials. The login works fine except for the fact that the account display name is my email address (my login user name) and not my Full Name. Checking with my online account details, the correct Full Name is listed, but it does not show on the PCs. The target principal name is incorrect. Once he clicked YES the warning message went away but as soon as Outlook is restarted he received the same warning message again. The problem here lies in different mail server name being used from the name the certificate has been issued to. Out if you have access permissions. Logon failure: the target account name is incorrect. A reboot will usually fix the problem, but sometimes it takes multiple reboots. There are perhaps 60 machines on the domain, but only a few are having this problem.
- Windows Error The Target Account Name Is Incorrect
- Windows Error Target Account Name Is Incorrect Deposit
- Windows Error Target Account Name Is Incorrect Mapping Drive
- Windows Error Target Account Name Is Incorrect Name
Posted by Barac in SQL Server, SQL Tips and Tricks on Jan 12th, 2018 | 2 commentsOne of our old SQL servers was running under the local system context. Then we decided to change the account that the SQL service runs under, and we created domain service account with basic domain user permissions.
Eventually, we end up with following error trying to access our SQL Server remotely.
SQL Server SPN Creation
To run SQL Server service you can use Local System account, local user account or a domain user account. If you are using Local System account to run your SQL Service the SPN will be automatically registered. Nevertheless, if you are using domain account to run SQL Server Service and you have domain user with basic user permissions (In our case) the computer will not be able to create its own SPN.
In case you are using domain administrator account, you will not have any problems.
SPN will be successfully created since domain account you are using to run SQL Server Service will have domain administrator-level credentials.
There are a couple of solutions for this problem.
- You can elevate permissions and use domain admin account for your SQL Server Service (Not recommended).
- You can manually create an SPN for your computer that is running SQL Server and assigned that SPN to the service account of the SQL Server service on that machine.
- You can use basic domain user account with elevated permissions (Write all properties, Write msDS-PrincipalName)
Pay attention that you can have only one SPN and must be assigned to the appropriate domain/local account (current SQL Server service account)
Manually create SPN
There is really good article by Microsoft how to configure SPN for SQL Servers
- Open cmd and list your current SPNs
setspn -l servername
SPN for the NetBIOS name of the SQL Server will look like: MSSQLSvc/SQLServerName:1433
SPN for the FQDN of the SQL Server will look like: MSSQLSvc/SQLServerFQDName:1433
In my case I have just default instance, So I need to change just those with 1433 port number. If you have named instance port number depends on previous SQL Server configuration.
Windows Error The Target Account Name Is Incorrect
- To change the SQL Server service account from local system to a domain user account remove current SPN from MSSQLSvc/SQLServerName:1433 computer account and add to the domain account.
setspn -D MSSQLSvc/SQLServerName:1433 SQLServerName
setspn -A MSSQLSvc/SQLServerName:1433 DomainAccount
- You can verify domain user SPN is registered correctly with the following command
setspn –L DomainAccount
Write all properties permissions, Write msDS-PrincipalName
Another option is to elevate permissions for domain user you are using to run SQL Server Service. Of course, you will need AD access to accomplish this.
- Active Directory Users and Computers (With Advanced Features Enabled)
- Select User and choose properties
- Select Security TAB
- Select Advanced settings
- Add new permission entry
- Choose “Read all properties” permission
- Select “Write msDS-PrincipalName” properties
Those permissions should be enough to allow that domain user to create SPN.
Similar Posts:
Windows Error Target Account Name Is Incorrect Deposit
I'm baffled.
In our lab, which is a duplicate of our production environment, an OU containing all the regular user accounts was deleted accidentally on April 21st. It wasn't noticed until the next day and the deletion had replicated.
On one of the DC's I booted into directory restore mode and restored the system state from a backup that was run on April 20th. It likely wasn't required but before rebooting I went into ntdsutil and authoritatively restored that OU and it went ahead an incremeted the ~4300 objects within it without error.
After rebooting however it will not replicate with any existing DC and if I try and do a net view to the restored DC from another DC or connect to SERVER1 I get the message that the target account name is incorrect. On the other DC's the following event is being recorded:
Windows Error Target Account Name Is Incorrect Mapping Drive
Event Source: NETLOGON
Event Category: None
Event ID: 5722
Date: 4/27/2006
Time: 4:46:00 PM
User: N/A
Computer: SERVER2
Description:
The session setup from the computer SERVER1 failed to authenticate. The name of the account referenced in the security database is SERVER1$. The following error occurred:
Access is denied.
Windows Error Target Account Name Is Incorrect Name
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/27/2006
Time: 4:51:47 PM
User: N/A
Computer: SERVER3
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/server1.domain.fqdn. The target name used was ldap/SERVER1.DOMAIN.FQDN. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (DOMAIN.FQDN), and the client realm. Please contact your system administrator.
I'm at a loss for how to fix this. I need to get this restored DC up so it can replicate the 4000+ users back into the domain -- View image here: http://episteme.arstechnica.com/groupee_common/emoticons/icon_frown.gif --.