Solved

Receiving Event ID 11 - But I don't see a Duplicate SPN

Posted on 2010-09-10
3
4,239 Views
Last Modified: 2012-05-10
I'm receiveing this error in the Event Log.  It's a new Windows 2008 R2 Domain Controller introduced into my Windows 2003 domain. The computer name is apbrsd2 - in the domain student.apsu.edu.

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/10/2010 3:17:44 PM
Event ID:      11
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      APBRSD2.student.apsu.edu
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is cifs/APBRSD2 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for cifs/APBRSD2 in Active Directory.
I see this from TechNet:  http://technet.microsoft.com/en-us/library/cc733945(WS.10).aspx

But when I run setSPN -X  -- there doesn't seem to be a duplicate SPN

C:\Windows\system32>setspn -X
Checking domain DC=student,DC=apsu,DC=edu
Processing entry 0
found 0 group of duplicate SPNs.

When I use -T -- and look across whole forest -- It shows 4 duplicate SPNs -- but not the one mentioned -- and I wondered across domains if that isn't normal?  I see no reference to cifs?
I also download a powershell module I found:
http://blog.powershell.no/2010/01/28/validate-spn-mappings-using-windows-powershell/
and it just falls back to the prompt when I execute the remove-allduplicatedomainSPNs -- I assume it doesn't find anything -- it doesn't say either way. (I did load the module and see the functions okay).  Anyone have any ideas?


     
0
Comment
Question by:apsutechteam
  • 2
3 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 33654629

We can resolve it in a very easy way

go to one of your Domain Controllers and in the command prompt execute a LDIFDE command that export all your AD Dat, one example in order to make it is:

ldifde -x -f ldifde_ADdata.log

Them open this file with notepad and make a search/find for the name:
cifs/APBRSD2

And you will be able to notice that it is in more than one place, them check wich one of these SPN is incorrect and delete the incorrect one

0
 

Author Comment

by:apsutechteam
ID: 33662758
This sounded like a tremendous idea. I ran the command and created the export log.  When I searched for cifs -- it didn't find even 'one' though?  It's like the phantom duplicate?
0
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 500 total points
ID: 33672436

It should be somewhere, maybe another AD partition different to DC=student,DC=apsu,DC=edu

Example: "CN=Configuration,DC=student,DC=apsu,DC=edu" or the other ones (This is considering that your forest is DC=student,DC=apsu,DC=edu"

But the point is that if you had this error and you continue having it, it should be in one of the AD partitions

Scheman
Configuration
Domain
DNSForest
DNSDomain
Application



0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question