Hello everyone,
I have a question about file share SPNs for shares on domain controllers. Due to some issues with Kerberos delegation - the infamous "bad option" errors related to missing service identities in web.config endpoints which then defaults to WP's UPN and triggers Kerberos SPN negative caching in IIS, I enabled Kerberos verbose logging for all member servers. This also helped me to identify lots of missing SPNs by using SCOM to alert me about Principal Unknown errors. One of those which I see a lot is when servers look up an SPN for CIFS/domain.com. I assume the servers are connecting to domian controllers shares to download GPOs and are trying to authenticate through Kerbeors. I've been wondering if it's possible to register a CIFS SPN for the domain and where to do it in order to enable Kerberos authentication for access to these shares.
Would it work if I register it under PDCe and delegate it to other DCs?
Thanks
Zoran