Problem Description
An application calls CreateObject to activate a COM+ component or a DCOM server component which runs on a remote machine. The call to the CreateObject may fail with the error 80070721 which translates to "A security package specific error occurred." Both machines are Windows server 2008 or Vista.
Cause
If you get a network trace with Microsoft Network Monitor you will see the Kerberos error in the trace similar to this:
172.17.10.21 172.17.10.17 KerberosV5 KerberosV5:TGS Request Realm: <domain> Sname: DCOMServiceAccount 172.17.10.17 172.17.10.21 KerberosV5 KerberosV5:KRB_ERROR - KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
DCOMServiceAccount is the identity of the COM+ application or the DCOM server application.
Resolution
Registering the following SPN's should workaround the issue:
setspn -A DCOMService/DCOMServer Domain\DCOMServiceAccount setspn -A DCOMService/DCOMServerFQDN Domain\DCOMServiceAccount
DCOMService: The name of the COM+ application or the DCOM server application. DCOMServer: The NetBIOS name of the server machine where the COM+ application or the DCOM component resides. DCOMServerFQDN: The Fully Qualified Domain Name of the server machine where the COM+ application or the DCOM component resides. DCOMServiceAccount: The identity of the COM+ application or the DCOM server application..
DCOMService: The name of the COM+ application or the DCOM server application.
DCOMServer: The NetBIOS name of the server machine where the COM+ application or the DCOM component resides.
DCOMServerFQDN: The Fully Qualified Domain Name of the server machine where the COM+ application or the DCOM component resides.
DCOMServiceAccount: The identity of the COM+ application or the DCOM server application..
To run setspn.exe to register a SPN for a domain account, you need to be a domain admin. Setspn.exe can be run on any machine in the domain.