DFS-N with Kerberos
9 views
Skip to first unread message
David Svirskis
Jan 19, 2026, 8:45:08 PMJan 19
to ntsys...@googlegroups.com
Hello experts,
I have DFS-N (DFS Namespace) set up with a domain-based namespace. Currently there is a single namespace server, which also happens to be a DC.
After disabling NTLM on a test workstation (to test/enforce Kerberos) attempts to access the \\namespace popped up credential prompts, which was determined to be due to a ‘missing’ SPN.
Manually registering the SPN (via setspn -S HOST/namespace namespace_server) resolved the credential prompt and allowed accessing the namespace, however two problems remain:
- The manually registered SPN ‘disappears’ (i.e. is being programmatically removed). I haven’t timed it but so far three mornings in a row I’ve had to re-register the ‘missing’ SPN. Does anyone have suggestions on why this might be happening / where I could look to diagnose/resolve this?
- I would like to add a second namespace server but then won’t be able to register the SPN against multiple computer objects. Presumably the answer is to use a shared service account setup of some kind? There are a few random Reddit posts on this topic but somewhat surprisingly I am unable to find any authoritative information from Microsoft on DFS-N with Kerberos or the use of service accounts. Have I missed something? Does anyone have any guidance or advice to offer?
Thanks,
David
Free/HD Support
Jan 20, 2026, 1:22:31 AMJan 20
to 'David Svirskis' via ntsysadmin
Hello David,
Concerning your first point, you may look into DC event logs if any event gives hint what removes the spn!
For the second point, you should look if you haven't and specifically DFS Name type in the recursive links.
https://learn.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs-overview?tabs=server-manager
All that said, I am not an expert but implemented DFS Namespace a long while which is still in use and works pretty good and convenient to users and apps.
Thanks
Sutha
Concerning your first point, you may look into DC event logs if any event gives hint what removes the spn!
For the second point, you should look if you haven't and specifically DFS Name type in the recursive links.
https://learn.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs-overview?tabs=server-manager
All that said, I am not an expert but implemented DFS Namespace a long while which is still in use and works pretty good and convenient to users and apps.
Thanks
Sutha
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/ME0P282MB4484C96C51C36DAE3D32D391A289A%40ME0P282MB4484.AUSP282.PROD.OUTLOOK.COM.
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntsysadmin/ME0P282MB4484C96C51C36DAE3D32D391A289A%40ME0P282MB4484.AUSP282.PROD.OUTLOOK.COM.
Reply all
Reply to author
Forward
0 new messages