Veeam Support case #08047168: Failed to execute SPN registration for service class VeeamAgentWindows

[AZHARI]

Hi,

This is from Veeam Support case # 08047168

I'm currently facing an issue while configuring backups in Failover Cluster mode. The error in the backup job logs indicates a failure during the SPN (Service Principal Name) registration for the service class VeeamAgentWindows.

I've followed the troubleshooting steps provided by Veeam Support (as referenced below), but unfortunately, the issue persists:

https://helpcenter.veeam.com/docs/backu ... ml?ver=120
https://helpcenter.veeam.com/docs/backu ... ml?ver=120
https://learn.microsoft.com/en-us/sql/d ... r16#Manual

Has anyone else encountered a similar issue or found a solution to this? Any help or guidance would be greatly appreciated.

Here's the exact error message from the Svc.VeeamEndpointBackup.log:

From Svc.VeeamEndpointBackup.log, I see the below:
[14.04.2026 12:03:33] <04> Info Connecting to VBR in managed mode
[14.04.2026 12:03:33] <04> Info SPN registration: registering for computer account name 'HOSTNAME'
[14.04.2026 12:03:33] <04> Info Domain name: XXX.COM
[14.04.2026 12:03:33] <04> Info Use domain controller: XXXXXXX.XXX.COM
[14.04.2026 12:03:33] <04> Info Execute SPN registration for user 'CN=SA-KGP-VB-PRD-BKP,CN=Managed Service Accounts & Groups,DC=XXX,DC=COM'
[14.04.2026 12:03:33] <04> Error Failed to execute SPN registration for service class VeeamAgentWindows
[14.04.2026 12:03:33] <04> Error Failed to registry. Result: '8235' Error: 'ERROR_DS_REFERRAL' (System.Exception)
[14.04.2026 12:03:33] <04> Error at Veeam.Backup.Common.SKerberosHelper.CSpnRegister.RegistrySpnByUserName(IntPtr hDS)
[14.04.2026 12:03:33] <04> Error at Veeam.Backup.Common.SKerberosHelper.CSpnRegister.TryExecute(String computerAccountName, String& exception)
[14.04.2026 12:03:33] <04> Error Failed to registry SPN VeeamAgentWindows

[david.domask]

Hi AZHARI, welcome to the forums.

Thank you for sharing the case number and sorry to hear about the challenges.

Please continue with Veeam Support; at first blush the issue doesn't immediately match with any known issues, so likely further investigation will be required.

If you have concerns about the handling / progress of the case, use the Talk to a Manager button in the Case Portal to reach out to Support Management; they will review your concerns and the case, and allocate additional resources as necessary.

[AZHARI]

Hi VeeamForums,

after 2 months of troubleshooting Failover Cluster Veeam backup issue, manage to found the root cause.
let me update the findings and steps to fix here so it can be use for further reference.

Root cause

• Authentication failed on the remote side with NegotiateStream.AuthenticateAsServer means Windows integrated authentication (Kerberos/NTLM) negotiation broke during the handshake.
• The target principal name is incorrect almost always points to an SPN problem: the service ticket is issued for one name, but the server that receives it does not have that SPN on the account running the service.
• Veeam.Backup.ForeignBackupServiceClient.CForeignInvokerServer.AuthenticateAsServer suggests Veeam is trying to authenticate to a remote repository/foreign backup server using Kerberos over Negotiate.


Things to check and fix

• Check SPNs for duplicates or wrong mappings
• Look for SPNs like VeeamBackupSvc/yourveeamserver.domain.local mapped to a different account than the one running the service – that will cause this exact error.
• When a Veeam service runs under a domain user (service account), Kerberos SPNs for that service must be registered on that user object in AD, not on the computer account.
• The error The target principal name is incorrect appears when the SPN in the Kerberos ticket (for example, VeeamBackupSvc/veeamserver.domain.local) is registered on some other account or is duplicated, so the server cannot decrypt the ticket. (https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13)
• Veeam documentation explicitly states that if you change the account used to run a service, you must remove the old SPNs and ensure the new account has the correct ones, otherwise SPN registration and Kerberos auth will fail. (https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13)
• Add matching SPNs for the nodes if needed If you see Kerberos using the node names,
• Restart Veeam services on those nodes After adding SPNs, restart the related Veeam services on both nodes, then rerun the job

Steps to fix:

• Remove the duplicate SPNs from the computer account

setspn -D VeeamAgentWindows/<HOSTNAME> <HOSTNAME>
setspn -D VeeamAgentWindows/<HOSTNAME.domain.local> <HOSTNAME>

setspn -D VeeamDeploySvc/<HOSTNAME> <HOSTNAME>
setspn -D VeeamDeploySvc/<HOSTNAME.domain.local> <HOSTNAME>

setspn -D VeeamTransportSvc/<HOSTNAME> <HOSTNAME>
setspn -D VeeamTransportSvc/<HOSTNAME.domain.local> <HOSTNAME>

• Add the SPNs to the service account

setspn -S VeeamAgentWindows/<HOSTNAME> Service Account
setspn -S VeeamAgentWindows/<HOSTNAME.domain.local> Service Account
setspn -S VeeamDeploySvc/<HOSTNAME> Service Account
setspn -S VeeamDeploySvc/<HOSTNAME.domain.local> Service Account
setspn -S VeeamTransportSvc/<HOSTNAME> Service Account
setspn -S VeeamTransportSvc/<HOSTNAME.domain.local> Service Account

• Verify and restart
Verify SPNs on the service account
setspn -L Service Account

Rerun the job >> SUCCESS!!

[david.domask]

Thank you for sharing the result AZHARI, sounds like it took a bit of digging to get there but glad there was a solution in the end.