|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
duplicate SPN'sWe have been getting duplicate SPN's with event 11 KDC and running a script,
we are getting the following: Microsoft (R) Windows Script Host Version 5.6 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. CN=SQL Server Admin,OU=Admin Accounts,OU=Users,OU=Information Systems,DC=domain,DC=com Class: user User Logon: user1 -- MSSQLSvc/server1.domain.com:1433 -- MSSQLSvc/server2.domain.com:1433 -- MSSQLSvc/server1.domain.com I'm sure I can delete one of these, but how to I know which one to delete? Is there a command I need to run prior that will list the correct value? Hello David,
See this article from Morgan Che: Hi, This problem occurs because two or more computer accounts have the same service principal name (SPN) registered. Event ID 11 is logged when the Key Distribution Center (KDC) receives a ticket request, and the related SPN exists more than one time when it is checked on the global catalog (GC) for verification. To resolve this problem, locate the computer accounts that have the duplicate SPNs. When you have located the computers that have the duplicate SPNs, you can either delete the computer account from the domain, disjoin and rejoin the computer to the domain, or you can use ADSIEdit to correct the SPN on the computer that has the incorrect SPN. To locate the computer accounts that have the duplicate SPNs, use one of the following methods. Method 1: Use the LDP support tool 1. Click Start , click Run , type LDP , and then click OK . 2. Click Connection , and then click Connect . 3. Leave the default settings, and then click OK . Note If you do not receive the expected result, try another search by using the Global Catalog Port (3268) instead of the default setting (389). 4. Click Connection , and then click Bind . 5. Leave the default settings, and then click OK .. 6. Click View , and then click Tree . 7. In the Tree View dialog box, type DC= YourDomain ,DC=com in the BaseDN box, where YourDomain is your domain. 8. Click Browse , and then click Search . 9. In the Search dialog box, type DC= YourDomain ,DC=com in the BaseDN box. 10. In the Search dialog box, type ( serviceprincipalname =HOST/ mycomputer.mydomain .com) in the Filter box. If the service principal name that is referred to in the error in the System log differs from this example, type the service principal name to which the error refers. Note If you do not receive the expected result, try searching for " HOST/" as opposed to searching only for the exact SPN in the event ID. 11. Under Scope , click Subtree . 12. Click Run . If this result is not what we expect, please try the followings. Method 2: Use the querySpn.vbs script in the following Microsoft TechNet article. To use the script, copy the code, paste it into Notepad, and then save the script as querySpn.vbs. http://www.microsoft.com/technet/scriptcenter/solutions/spnquery.mspx Run the script by using the following command: cscript spnquery.vbs HOST/mycomputer* >check_SPN.txt Also, you can use setspn tool to locate duplicate SPN. You can refer to Setspn Overview http://technet2.microsoft.com/WindowsServer/en/Library/b3a029a1-7ff0-4f6f-87 d2-f2e70294a5761033.mspx Hope this helps. Sincerely Morgan Che Microsoft Online Support Microsoft Global Technical Support Center Get Secure! - www.microsoft.com/security ===================================================== When responding to posts, please "Reply to Group" via your newsreader so that others may learn and benefit from your issue. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > We have been getting duplicate SPN's with event 11 KDC and running a > script, we are getting the following: > > Microsoft (R) Windows Script Host Version 5.6 > Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. > CN=SQL Server Admin,OU=Admin Accounts,OU=Users,OU=Information > Systems,DC=domain,DC=com > Class: user > User Logon: user1 > I'm sure I can delete one of these, but how to I know which one to > delete? Is there a command I need to run prior that will list the > correct value? > You have that service principal name registered three times on two seperate
machines, which machine do you want to provide services for? No one else will know this answer but you. Also you will have remove two of the spn's only one per account. Follow Meinolf's direction on looking at the spn's, I use setspn (setspn -l accountname when I am looking for info). -- Show quoteHide quotePaul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "David Alge" <DavidA***@discussions.microsoft.com> wrote in message news:4A2DB09C-6EEA-4732-92F2-37AABFFAE1C1@microsoft.com... > We have been getting duplicate SPN's with event 11 KDC and running a > script, > we are getting the following: > > Microsoft (R) Windows Script Host Version 5.6 > Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. > > CN=SQL Server Admin,OU=Admin Accounts,OU=Users,OU=Information > Systems,DC=domain,DC=com > Class: user > User Logon: user1 > -- MSSQLSvc/server1.domain.com:1433 > -- MSSQLSvc/server2.domain.com:1433 > -- MSSQLSvc/server1.domain.com > > > I'm sure I can delete one of these, but how to I know which one to delete? > Is there a command I need to run prior that will list the correct value? Hello David,
Correct this as follows: At command prompt: setspn -L user1 (This should list all registered Service Principal Names for user1) If there is a duplicate entry, yo can delete the duplicate entry by: setspn -d MSSQLSvc/servername.domain.com:1433 user1 You will have to decide which one to delete based on your SQL server should have user1 as their service id. The best practice to name MSSQLSvc users or ids is to name them after the server e.g user1sqlserver1 etc -- Show quoteHide quoteIsaac Oben [MCTIP:EA, MCSE] "David Alge" <DavidA***@discussions.microsoft.com> wrote in message news:4A2DB09C-6EEA-4732-92F2-37AABFFAE1C1@microsoft.com... > We have been getting duplicate SPN's with event 11 KDC and running a > script, > we are getting the following: > > Microsoft (R) Windows Script Host Version 5.6 > Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. > > CN=SQL Server Admin,OU=Admin Accounts,OU=Users,OU=Information > Systems,DC=domain,DC=com > Class: user > User Logon: user1 > -- MSSQLSvc/server1.domain.com:1433 > -- MSSQLSvc/server2.domain.com:1433 > -- MSSQLSvc/server1.domain.com > > > I'm sure I can delete one of these, but how to I know which one to delete? > Is there a command I need to run prior that will list the correct value? 
Other interesting topics
Win2k3R2 Domain Preparing for Win2k8 Member & Domain Controllers
Domain renaming applying computer settings add exchange tabs to AD consol Virtualized a child DC - need to recover due to USN rollback Event ID 1669 seemingly simple question: Customized Signature in MS Outlook 2007 local policy User Account Lockout AD newbie Question |
|||||||||||||||||||||||
