The past 2 days I have been troubled by a very simple daily task that just would not work. I needed to add 2 SPNs (HTTP/SVR1 & HTTP/SVR1.acme.com) from Account1 into the allow delegation tab of Account2 in AD.
The error “”The directory datatype cannot be converted to / from a native DS datatype” keep popping up whenever I tried to add the SPNs to Account2. These are the checks and facts of the case:
- There are already SPNs with allow delegation on account2 (so no issues with adding delegation)
- I could add other SPNs from account1 into the allow delegation of account2 (only the problem SPNs is not possible)
- I deleted the problem SPNs and added it to another account and try add that the account2 and encountered the same error (weird huh?)
- However, I could add the problem SPNs to allow delegation on another account, e.g. account3, but just never account2 (even weirder!)
- The SPNs is not listed in account2 nor already in the allowed delegation list
- There are no duplicated SPNs
This is a really strange issue and internet is no help, with a lot of stupid answers to add. Many posts point to this MSKB, http://support.microsoft.com/kb/889100), but we are already running above SP1 and the only other MSKB that is remotely close is http://support.microsoft.com/kb/907462
So I took a dump with LDIFDE for account2, but did not find any think wrong with the attributes. Being at the end of wits, I had to use the brute force method…
What we are interested to look at is msDS-AllowedToDelegateTo. A good thing about these attributes is that they are just text string. So I went into ADSIEdit, look up the properties of account2 and the attribute, msDS-AllowedToDelegateTo. Clicked Edit and added the two troublesome SPNs to account2.
Cross my fingers that this works for the applications folks.