jamorlando
asked on
Removing duplicate SPNs (Service Name Providers)
I currently get errors in the system log on my Windows 2008 R2 domain controller daily, such as:
Event ID: 11
Source Name: KDC
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/IKSDB01.iks.bz:11 39 (of type DS_SERVICE_PRINCIPAL_NAME) . This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for MSSQLSvc/IKSDB01.iks.bz:11 39 in Active Directory.
I googled this and found an article that makes the fix seem fairly straighforward:
http://technet.microsoft.com/en-us/library/cc733945(WS.10).aspx
Here is my output when I run: setspn -X
Checking domain DC=iks,DC=bz
Processing entry 2
MSSQLSvc/iksdb01.iks.bz:30 64 is registered on these accounts:
CN=IKSDB01,CN=Computers,DC =iks,DC=bz
CN=Administrator,CN=Users, DC=iks,DC= bz
MSSQLSvc/iksdb01.iks.bz:39 64 is registered on these accounts:
CN=IKSDB01,CN=Computers,DC =iks,DC=bz
CN=Administrator,CN=Users, DC=iks,DC= bz
MSSQLSvc/iksdb01.iks.bz:11 39 is registered on these accounts:
CN=IKSDB01,CN=Computers,DC =iks,DC=bz
CN=Administrator,CN=Users, DC=iks,DC= bz
MSSQLSvc/iksdb01.iks.bz:49 29 is registered on these accounts:
CN=IKSDB01,CN=Computers,DC =iks,DC=bz
CN=Administrator,CN=Users, DC=iks,DC= bz
MSSQLSvc/2000sql01.iks.bz: 1407 is registered on these accounts:
CN=2000SQL01,CN=Computers, DC=iks,DC= bz
CN=Administrator,CN=Users, DC=iks,DC= bz
MSSQLSvc/SHAREPOINT.iks.bz :1433 is registered on these accounts:
CN=SHAREPOINT,CN=Computers ,DC=iks,DC =bz
CN=Administrator,CN=Users, DC=iks,DC= bz
found 6 groups of duplicate SPNs.
The article then gives instructions using setspn -D<SPN> <computer_name> to delete these.
Some questions:
#1. Given the output of my duplicate SPNs, what would be command that I type to erase one of these.
#2. How do I know which duplicate to erase?
#3. If in doing this, I screw something up, is there a way to undo?
Thanks,
Jamie
Event ID: 11
Source Name: KDC
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/IKSDB01.iks.bz:11
I googled this and found an article that makes the fix seem fairly straighforward:
http://technet.microsoft.com/en-us/library/cc733945(WS.10).aspx
Here is my output when I run: setspn -X
Checking domain DC=iks,DC=bz
Processing entry 2
MSSQLSvc/iksdb01.iks.bz:30
CN=IKSDB01,CN=Computers,DC
CN=Administrator,CN=Users,
MSSQLSvc/iksdb01.iks.bz:39
CN=IKSDB01,CN=Computers,DC
CN=Administrator,CN=Users,
MSSQLSvc/iksdb01.iks.bz:11
CN=IKSDB01,CN=Computers,DC
CN=Administrator,CN=Users,
MSSQLSvc/iksdb01.iks.bz:49
CN=IKSDB01,CN=Computers,DC
CN=Administrator,CN=Users,
MSSQLSvc/2000sql01.iks.bz:
CN=2000SQL01,CN=Computers,
CN=Administrator,CN=Users,
MSSQLSvc/SHAREPOINT.iks.bz
CN=SHAREPOINT,CN=Computers
CN=Administrator,CN=Users,
found 6 groups of duplicate SPNs.
The article then gives instructions using setspn -D<SPN> <computer_name> to delete these.
Some questions:
#1. Given the output of my duplicate SPNs, what would be command that I type to erase one of these.
#2. How do I know which duplicate to erase?
#3. If in doing this, I screw something up, is there a way to undo?
Thanks,
Jamie
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
For simplicity, lets use MSSQLSvc/iksdb01.iks.bz:11 39 as an example.
I opened up AdsiEdit and was able to find this SPN under the ServicePrincipleName section of:
DC=iks,DC=bz -> CN=Computers -> CN=IKSDB01
DC=iks,DC=bz -> CN=Users -> CN=Administrator
IKSDB01 is one of our old servers running MS SQL SERVER 2000.
I have no problem with deleting one of the SPNs, and now know how to. Thank you!
I am still unsure as to which one to delete...
In the article he says:
Locate the westpex computer and find out what's the account in which secuirty context SQL Server service executes. If this is Administrator's account, delete the second one - otherwise (if this is a local System or Network Service account, delete the first one).
Where would I find this in SQL Server? Or would I locate this in services.msc?
From services.msc, if I look at the "Log In As" field under the various database instances, some of them have different values ... some say "IKS\Administrator" (our domain admin login), and some say "Local System". Is this what I'm looking for?
How will I be able to tell what MSSQLSvc/iksdb01.iks.bz:11 39 corresponds with in this list.
Thanks!
I opened up AdsiEdit and was able to find this SPN under the ServicePrincipleName section of:
DC=iks,DC=bz -> CN=Computers -> CN=IKSDB01
DC=iks,DC=bz -> CN=Users -> CN=Administrator
IKSDB01 is one of our old servers running MS SQL SERVER 2000.
I have no problem with deleting one of the SPNs, and now know how to. Thank you!
I am still unsure as to which one to delete...
In the article he says:
Locate the westpex computer and find out what's the account in which secuirty context SQL Server service executes. If this is Administrator's account, delete the second one - otherwise (if this is a local System or Network Service account, delete the first one).
Where would I find this in SQL Server? Or would I locate this in services.msc?
From services.msc, if I look at the "Log In As" field under the various database instances, some of them have different values ... some say "IKS\Administrator" (our domain admin login), and some say "Local System". Is this what I'm looking for?
How will I be able to tell what MSSQLSvc/iksdb01.iks.bz:11
Thanks!
some say "IKS\Administrator" (our domain admin login), and some say "Local System". Is this what I'm looking for?
Yes so administrator is what is used.
Take a look at part 2 of this DS team series
http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2.aspx
about halfway down they use queryspn.vbs and go through the process
Thanks
Mike
Yes so administrator is what is used.
Take a look at part 2 of this DS team series
http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2.aspx
about halfway down they use queryspn.vbs and go through the process
Thanks
Mike
Can't believe I forgot to mention Joes great entry http://blog.joeware.net/2008/07/17/1407/
ASKER
@MKLine71, thank you! I think I need to explain it more ... I've attached a screenshot of the SQL Server section of services.msc ... you can see all the different database instances. Some are running under IKS\Administrator and some under Local System.
How am I to know which database instance corresponds to, for example: MSSQLSvc/iksdb01.iks.bz:11 39 ? Any SQL Server experts on here? :)
SQLServer2000.jpg
How am I to know which database instance corresponds to, for example: MSSQLSvc/iksdb01.iks.bz:11
SQLServer2000.jpg
ASKER
Ok, probably a pretty clunky way of doing this but I figured out a way to do this:
Using MSSQLSvc/iksdb01.iks.bz:11 39 as an example:
From the command line, I run:
netstat -ano | findstr 1139
It returns: TCP 0.0.0.0:1139 0.0.0.0:0 LISTENING 1592
(1592 is the PID process ID?)
From the registry, I navigate to:
HKEY_LOCAL_MACHINE\SOFTWAR E\Microsof t\Microsof t SQL Server
The folders under here are all my database instances .. then I would navigate to the MSSQLServer folder underneath, and look for the "uptime_pid" key which is 1592.
So now I know that MSSQLSvc/iksdb01.iks.bz:11 39 corresponds to my MSSQL$SQL2000SMARTSEAL service.
Using MSSQLSvc/iksdb01.iks.bz:11
From the command line, I run:
netstat -ano | findstr 1139
It returns: TCP 0.0.0.0:1139 0.0.0.0:0 LISTENING 1592
(1592 is the PID process ID?)
From the registry, I navigate to:
HKEY_LOCAL_MACHINE\SOFTWAR
The folders under here are all my database instances .. then I would navigate to the MSSQLServer folder underneath, and look for the "uptime_pid" key which is 1592.
So now I know that MSSQLSvc/iksdb01.iks.bz:11
ASKER
One last question .... if for SOME reason, I delete the WRONG SPN, how do I recover from this?
I assume that I could just change the authentication from within SQL Server, or just unjoin the server from the domain and rejoin it. Some reassurance would be great before I start deleting stuff with ADSIEdit :)
I assume that I could just change the authentication from within SQL Server, or just unjoin the server from the domain and rejoin it. Some reassurance would be great before I start deleting stuff with ADSIEdit :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome ... all my questions have been answered and I feel like I actually comprehend this now. THANKS!
thanks...if you don't mind respond and let us know how things went when you are done.
ASKER
I tried it for the first one in my list ... deleted the duplicate SPN, and am successfully able to get to the database. I'll leave it like that for a couple days just to make sure nobody's affective and then I'll knock out all the other ones, going with Sharepoint LAST because that's our most important server here :)
http://technet.microsoft.com/en-us/library/cc786325(WS.10).aspx
you can add delete using instructions in this article
Thank you