1

As the title indicates, on Windows 2008 R2, use of SETSPN -L domain\account returns Ldap Error(0x22 -- Invalid DN Syntax): ldap_search_s

What little information I could find, says the domain\account may contain an 'invalid' character in its name. However, I do not have sufficient privileges on the domain or forest to change the account's information in Active Directory.

Is there anything else I should check or might be able to do to get a list of SPN's registered to the account?

Zarepheth
  • 153
  • I have a domain account with a $ symbol in it, i.e. DOMAIN\$zz_anaccount and I also get the error. I have not found out how I can 'escape' it though. I certainly can't change the name of it. Quite annoying. – Nick.Mc Jan 19 '16 at 07:45
  • Related: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/just-another-odd-error/ba-p/243123 – kevinarpe Jan 06 '22 at 11:31

1 Answers1

2

What I have discovered about this error message is if the DN has an extra comma in it, you may have issues listing the SPNs.

For example, I had these problems with a DN CN=Reporting\, Domain,OU=Users,DC=domain,dc=com. I had to rename/reformat the account so that it appeared as CN=Domain Reporting,OU=Users,DC=domain,dc=com. Then my problem went away.

Gunzerker
  • 21