Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 338
  • Last Modified:

Event viwer error: 11 multiple accounts with MSSQLvc/SERVER.OFFICE:1433 type10

Hello everyone.

I have this message on my event viwer:

Event viwer error: 11 multiple accounts with MSSQLvc/SERVER.OFFICE:1433 type10

I've a MS SQL Server 2000 installed on a W2k Server that is a domain controller. The message is translated because originally is displayed in spanish, so maybe (sure) is not exact as it appears in english SQL/W2k.

Anyone knows why appears and what it means? (all works fine apparently)

Thanks!!
0
montcadalr
Asked:
montcadalr
  • 3
1 Solution
 
Aneesh RetnakaranDatabase AdministratorCommented:
Hi montcadalr,
Try these
http://www.mcse.ms/archive81-2005-4-1581848.html


This error can be caused when the Service Principal Name (SPN) has been registered incorrectly for a service running on a server. Each service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. The SPN is registered in Active Directory under a user account as an attribute of the user account called a servicePrincipalName.

The above error typically indicates that ServiceClass/host.domain.com has been registered as an SPN on more than one Active Directory User Account. This typically happens when a service is set to start with a different service account and setSPN is used to add the new SPN but the old SPN is not removed. In general, only one SPN should be set for each service. Multiple SPNs can cause clients to connect to the wrong system or the ticket may be encrypted with the wrong key.

Solution:
To enable the service to authenticate properly, you need to make sure that the service has only one SPN. In order to do this first we need to find which accounts have the duplicate SPNs and then delete one of them. The easiest way to determine which account the ServiceClass SPN should be registered under is to identify the service account under which the service starts. For instance if the service class & hostname is MSSQLSvc/hostname.domain.com then logon to hostname.domain.com and verify which account SQL Server services are using to start with, this is the account that the SPN should be registered to.

To generate a list of accounts that the SPNs are registered to, run the following command at the command prompt.

From the domain controller, open a command prompt and then type the following string:
ldifde -f domain.txt -d “dc=domain,dc=com”
Open the text file in Notepad and then search for the SPN that is reported in the event log.
ServiceClass/host.domain.com
Note the user accounts under which the SPN is located and the organizational unit the accounts reside in….the userPrincipalName should be located directly above the servicePrincipalName registration as in the example below.
userPrincipalName: useraccount@domain.com
servicePrincipalName: ServiceClass/host.domain.com
Use one of the following options to delete the account SPN registrations from the accounts that should not contain registrations to ServiceClass/host.domain.com. (i.e. Typically any accounts containing an SPN registration for SeriviceClass/host.domain.com that services are not explicitly starting with)

Using ADSIEdit

Add ADSIEdit to the MMC and bind to the domain using the Domain well known naming context.
Navigate to each user account you previously documented as having a duplicate SPN registration and right click the account and select properties.
Scroll through the list of attributes until you see servicePrincipalName, double click servicePrincipalName and remove the duplicate SPN registration and click on OK and exit ADSIEdit.
Using SetSPN

From the command prompt type the following command and hit enter.
setspn -D ServiceClass/host.domain.com:Port AccountName
0
 
Aneesh RetnakaranDatabase AdministratorCommented:
0
 
Aneesh RetnakaranDatabase AdministratorCommented:
Points Aneeshattingal..
0
 
montcadalrAuthor Commented:
I'm sorry, I've been busy to achieve this question.
I'll try to solve this week.
Thanks a lot!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now