Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Matthew

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 19
Reply with quote  #1 
I am in the process of upgrading from FIM to MIM and one of the steps is to set some SPNs.

Example -

setspn -S HTTP/portal.FullyQualifiedDomain domain\SharePointServiceAccount

setspn -S HTTP/portal domain\SharePointServiceAccount

setspn -S FIMService/portal.FullyQualifiedDomain domain\MIMServiceAccount (the Service account for the MIM service/web portal)

setspn -S FIMService/portal domain\MIMServiceAccount

I can run setspn -l against the service accounts and see the SPNs.

Next step is go into ADUC and lookup the service accounts and delegate the MIMServiceAccount to both the sharepoint service account and the mimservice account.

look up account, right click choosing properties. Then on the delegation tab, set "trust this user for delegation to specified services only. then select User Kerberos only, then click add to search for the mimservice account and add the spns set in the first step.

If there are both fully qualified hostnames and non fully qualified, only the non fully qualified hostnames appear. To see and be able to add the fully qualified hostname, I have to actually delete the spn for the non fully qualified name. add the fully qualified, then recreate the unfully qualified spn.

When I the go back to add the non fully qualified and click apply, I get the following error.

"The following Active Directory Domain Services error occurred: The directory datatype cannot be converted to/from a native DS datatype"

I am googling but nothing is returning that is helpful or strikes me as a safe option for production.

Curious if any of you have run into this, or have any ideas that may help troubleshoot this out.

Lastly, did not run into this in the lab. in the lab I could select both fully and non fully qualified hostnames, add them to the delegation, click apply and move on.

I can technically get by with just fully qualified entries, but I don't like moving on with an error that I don't yet understand or have resolved/fixed
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 235
Reply with quote  #2 
>  The directory datatype cannot be converted to/from a native DS datatype"

That is a strange error. Troubleshooting this remotely is going to be hard [smile]

Suggestion: script it instead of relying on an GUI.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #3 
https://support.microsoft.com/en-us/help/241981/err-msg-0x8000500c---the-active-directory-datatype-cannot-be-converted

Cause & work around script are there.
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 235
Reply with quote  #4 
Quote:
Originally Posted by donoli
https://support.microsoft.com/en-us/help/241981/err-msg-0x8000500c---the-active-directory-datatype-cannot-be-converted

Cause & work around script are there.
This only applies directly after a schema change. Very badly written article, by the way.

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
donoli

Senior Member
Registered:
Posts: 598
Reply with quote  #5 
https://support.microsoft.com/en-us/help/907462/you-may-receive-a-the-directory-datatype-cannot-be-converted-to-from-a

I don't know if that article is any better. I should have posted both of them.
0
Matthew

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 19
Reply with quote  #6 

Quote:
Originally Posted by wkasdo
>  The directory datatype cannot be converted to/from a native DS datatype"

That is a strange error. Troubleshooting this remotely is going to be hard [smile]

Suggestion: script it instead of relying on an GUI.


scripting might do it, but that is a work around and I am concerned this maybe a symptom of an ongoing issue we have observed with Kerberos and FIM's web portal that we have not been able to replicate or manually trigger, but rather happens randomly.  

I only run into this stuff in production, not in the lab  [frown]


Quote:
Originally Posted by wkasdo
This only applies directly after a schema change. Very badly written article, by the way.


I saw this KB prior to posting asking you all for your thoughts and came to the same conclusion. 

Quote:
Originally Posted by donoli
https://support.microsoft.com/en-us/help/907462/you-may-receive-a-the-directory-datatype-cannot-be-converted-to-from-a

I don't know if that article is any better. I should have posted both of them.


this one doesn't feel familiar, not sure it came up in my searches.  I will take a closer look at it.   thank you. 
0
Matthew

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 19
Reply with quote  #7 
no resolution yet. My MS support contact thinks it maybe an issue in the GUI tool (ADUC) simply not displaying correctly, but I am not so sure.

I will keep hacking away at this and if I figure anything out will share.
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.