Troubleshoot Connector for AD SPN creation failure - Amazon Private Certificate Authority
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshoot Connector for AD SPN creation failure

Service principal name (SPN) creation can fail for various reasons. When SPN creation fails you'll receive the failure reason in the API response. If you're using the console, then the failure reason is displayed in the Connector details page under the Additional status details field within the Service principal name (SPN) container. The following table describes failure reasons and recommended steps for resolution.

Failure status Description Remediation
DIRECTORY_ACCESS_DENIED Connector for AD can't access your directory.

Grant Connector for AD access to your directory. For an example IAM policy that includes permissions that grant directory access, see Step 4: Create IAM Policy.

DIRECTORY_NOT_REACHABLE Connector for AD can't access your directory.

Check the network between Amazon and your directory, and try creating an SPN again.

DIRECTORY_RESOURCE_NOT_FOUND Connector for AD can't find the specified directory.

Make sure you specify the correct directory ID, then delete the failed connector and create a new one using your intended directory ID.

INTERNAL_FAILURE Connector for AD experienced an internal failure.

Try again later.

SPN_EXISTS_ON_DIFFERENT_AD_OBJECT The service principal name (SPN) exists on a different Active Directory object.

Delete the SPN from the Active Directory object, and try creating the SPN again.

SPN_LIMIT_EXCEEDED Connector for AD can't create the SPN because you've reached the limit of SPNs per directory. The maximum number of SPNs per directory is 10.

Delete one or more SPNs from your account, and try creating the SPN again.