Unable to locate the account: Fix call to DsGetDcNameWithAccount failed with return value 0x0000054B

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account, even if the client does not have the account name.In this article, we shall discuss “Unable to locate the account: Fix call to DsGetDcNameWithAccount failed with return value 0x0000054B”. Learn about the various types of Kerberos delegations.

Setspn is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed.

Also, see how to perform redirection from HTTP to HTTPS. Also see how to configure SSL between WSUS upstream and downstream servers, and how to set up and configure Windows server update services (WSUS).

How to run SPN in Elevated Mode

To use setspn, you must run the setspn command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

The following error could be a result of many other issues. In my case, I had no permission issue. The environment and service accounts were all available and correctly configured to run the SPN command.

Yet it failed with the following error “FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x0000054B. Unable to locate account MBAM-IISAP-SVC”

Note: If you do not have administrative rights to create SPNs, you must ask the Domain administrators in their Organisation Administrators in your organisation to create the SPN for you by using the following command. To set this for your NetBIOS hostname, use the command below.

Kindly refer to the following related contents: Event ID 5059: Application pool has been disabled or Changing identity user for IIS Application Pool, and how to install Pleasant Password Server.

Solution

Please review the SPN command you are using to set (register) the Service Principal Name (SPN) for the hostname or FQDN under the domain account.

As you can see in the image above, I had an error in the account name. I was using “techdirectarchive\MBAM-IISAP-SVC” instead of “techdirectarchi\MBAM-IISAP-SVC”. This can be very difficult to spot if you have used to a specific domain account name. Upon noticing this, I ran the command again and it was successful.

setspn.exe -S http/mbamserv1 techdirectarchi\MBAM-IISAP-SVC

This will enable the MBAM server to authenticate communication from the Administration and Monitoring Website and the Self-Service Portal.

You must register a Service Principal Name (SPN) for the hostname or FQDN under the domain account that you are using for the web application pool “in my case MBAM-IISAP-SVC”. 

To see the list SPNs registered to target accounts for the specific server, please run the following.

SETSPN -L mbamserv1

Note: If the logon account of a service instance changes, the SPNs must be re-registered under the new account. 

I hope you found this blog post helpful on “Unable to locate the account: Fix call to DsGetDcNameWithAccount failed with return value 0x0000054B”. If you have any questions, please let me know in the comment session.