Which account should I delete after finding duplicate SPN of MSSQLSvc/

Posted on 2008-11-15
Last Modified: 2012-05-05
Based on others I used the following command to export 2 entries:

ldifde -d dc=lowryparkzoo,dc=com -r "(serviceprincipalname=mssqlsvc/lpz-tickets*)" -l dn,serviceprincipalname -f CG.txt

Here are the results:

dn: CN=Administrator,CN=Users,DC=LowryParkZoo,DC=com
changetype: add
servicePrincipalName: MSSQLSvc/
servicePrincipalName: MSSQLSvc/
servicePrincipalName: MSSQLSvc/
servicePrincipalName: MSSQLSvc/

dn: CN=LPZ-TICKETS,CN=Computers,DC=LowryParkZoo,DC=com
changetype: add
servicePrincipalName: MSSQLSvc/
servicePrincipalName: DNS/
servicePrincipalName: HOST/
servicePrincipalName: HOST/
servicePrincipalName: HOST/LPZ-TICKETS
servicePrincipalName: HOST/

I looked at the  MSSQLSERVER service in LPZ-Tickets and it uses the Local System Account to Log On.

I noted that the CN=Administrator and CN=LPZ-Tickets both have the same MSSQLSvc serviceprincipalname.  

In MS article it has as the resolution:
To resolve this problem, locate the computer accounts that have the duplicate SPNs. When you have located the computers that have the duplicate SPNs, you can either delete the computer account from the domain, disjoin and rejoin the computer to the domain, or you can use ADSIEdit to correct the SPN on the computer that has the incorrect SPN.

So I need to figure out which one to remove and how to use adsiedit to remove or fix the incorrect entry, so the SQL service stays running and the Event Error 11 in Source KDC is eliminated.

Thanks in advance.

Question by:tfcmarty

    Author Comment

    I have ADSI edit working and can highlight servicePrincipalName = MSSQLSvc in both the Administrator account and LPZ-Tickets, I'm still struggling as to which one to remove.
    LVL 31

    Accepted Solution

    You nead to remove the SPN that isn't used. As you've found that SQL is running as Local System and is by that reason using SPN on computer account, you shall remove the SPN from Administrator account.

    To increase security, you should create a dedicated service account instead of running SQL as LocalSystem or Administrator (both gives to much permissions).

    Instead of using ADSIedit, you can use setspn-command to delete the SPNs.

    C:\>setspn -D MSSQLSvc/ Administrator

    Author Comment

    Thanks for both recommendations.  That helped me to understand what I was doing.

    Author Closing Comment

    Thanks again.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    It is a known fact that servers reach the end of their lives. Some get there quicker than others, based on age, manufacturer, usage and several other factors. However, if your organization has spent time deploying Microsoft's Active Directory server…
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now