[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 542
  • Last Modified:

KDC Error 11, multiple accounts of MSSQLSvc/server01.XXXXXXXXXX.local:29614, cant delete

Hi

I am getting multiple entries of MSSQLSvc/server01.xxxxxxxxxxx.local:29614

I followed links here and ran LDIFDE to generate log, I searched log for the above string and can see it under SERVER01$ and XXXXXXX (user).

I try running the setspn -D but it does not work.

Any help appreciated

0
antalp71
Asked:
antalp71
  • 2
  • 2
1 Solution
 
chrishudson123Commented:
For duplicate SPN issue fisrt find out the dupliacet accounts (You already done that KB http://support.microsoft.com/kb/321044)

Second delete the dupliacet SPN by using setspn or adsiedit.msc.I prefer open ADSIEDIT.msc and locate the object (SERVER01$ or XXXXXXX (user)).Expand the properties of the object and open "ServiceprincipalName" attribute",Delete the SPN from this window.

Note: You need MSSQL SPN for Ur sql service account.There should be only one SPN in complete forest with same name
0
 
antalp71Author Commented:
Thank you.  the setspn -d didnt work for me and I didnt understand the ADSIEDIT.  Thanks for explaining

Ant
0
 
chrishudson123Commented:
Adsiedit Overview - http://technet.microsoft.com/en-us/library/cc773354.aspx
You need to install support tools for adsiedit.msc
After finding the server which has the wrong SPN.
start->Run>Adsiedit.msc
Expand Domain and locate the the culprit server
right click on server name>properties and select serviceprincipal name
When you doubleClick SErvicePrincipal name ,you will get a dialog box to add or remove the SPNs
Attaching the screenshot of adsiedit

for setspn syntax refer http://technet.microsoft.com/en-us/library/cc755413.aspx and http://technet.microsoft.com/en-us/library/cc773257.aspx
Syntax to remove SPN using setspn
setspn -d <SPN to remove >  <Server Name>

Example:
setspn -d http/daserver1.reskit.microsoft.com daserver1









adsiedit.jpg
0
 
antalp71Author Commented:
Hi

Thanks for the pics, I was not looking in the properties box and so was just seeing an empty user folder.  All sorted now and deleted.

Many Thanks for your help.

Ant


0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now