[German]I would like to address a small problem that may affect some administrators who use the Kerberos Configuration Manager for SQL Server. There is a bug in the tool that leads to errors when executing commands if a hyphen is used in NETBIOS names. Before anyone goes looking for a wolf, here is the relevant information.
Advertising
Blog reader Enrico pointed out the problem to me some time ago in a direct message on X – however, the information was not made available to me until the
Hey, I don't know if this is relevant to the Windows Admin world. But MS has a Kerberos tool for SQL which has a little bug that doesn't allow domain names with "-". By changing the IL.code with dnSpy it worked.
Enrico also sent me a link to the Microsoft Learn forum post Bug in "Kerberos Configuration Manager for SQL Server", it does't work if AD's NETBIOS name contains hyphen, where the problem was already described on March 1, 2024. The thread starter notes that the "Kerberos Configuration Manager for SQL Server" no longer works if NETBIOS names with a hyphen are used in AD. The user specifies the NETBIOS name "TEST-AD" as an example, which then generates the following error message:
Error: Access of User Principal information failed System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server could not be contacted. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.However, if the NETBIOS name "TESTAD" is used, the Kerberos Configuration Manager for SQL Server works without any problems. The affected person states that the bug is probably in the RegEx evaluation in KerberosCM.WMIHelper (see following screenshot).
The post outlines an example where the NETBIOS name "XXXX-VIRHE" is converted to "VIRHE" by RegEx, which then leads to the error. According to the poster, there could be another error in the code. If you manually edit the return value to match the correct domain, the program seems to work. However, the user name is then displayed in the wrong format in the GUI (i.e. AD\ADMIN would be displayed instead of TEST-AD\Admin).
Advertising
Another user wrote that he changed the RegEx expression in the IL code with dnspy to also work with hyphens. The change is documented in the screenshot posted by the user in question. No idea if Microsoft will pick up on this and fix it.
