Solved

Receiving Event ID 11 - But I don't see a Duplicate SPN

Posted on 2010-09-10
3
4,191 Views
Last Modified: 2012-05-10
I'm receiveing this error in the Event Log.  It's a new Windows 2008 R2 Domain Controller introduced into my Windows 2003 domain. The computer name is apbrsd2 - in the domain student.apsu.edu.

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/10/2010 3:17:44 PM
Event ID:      11
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      APBRSD2.student.apsu.edu
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is cifs/APBRSD2 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for cifs/APBRSD2 in Active Directory.
I see this from TechNet:  http://technet.microsoft.com/en-us/library/cc733945(WS.10).aspx

But when I run setSPN -X  -- there doesn't seem to be a duplicate SPN

C:\Windows\system32>setspn -X
Checking domain DC=student,DC=apsu,DC=edu
Processing entry 0
found 0 group of duplicate SPNs.

When I use -T -- and look across whole forest -- It shows 4 duplicate SPNs -- but not the one mentioned -- and I wondered across domains if that isn't normal?  I see no reference to cifs?
I also download a powershell module I found:
http://blog.powershell.no/2010/01/28/validate-spn-mappings-using-windows-powershell/
and it just falls back to the prompt when I execute the remove-allduplicatedomainSPNs -- I assume it doesn't find anything -- it doesn't say either way. (I did load the module and see the functions okay).  Anyone have any ideas?


     
0
Comment
Question by:apsutechteam
  • 2
3 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 33654629

We can resolve it in a very easy way

go to one of your Domain Controllers and in the command prompt execute a LDIFDE command that export all your AD Dat, one example in order to make it is:

ldifde -x -f ldifde_ADdata.log

Them open this file with notepad and make a search/find for the name:
cifs/APBRSD2

And you will be able to notice that it is in more than one place, them check wich one of these SPN is incorrect and delete the incorrect one

0
 

Author Comment

by:apsutechteam
ID: 33662758
This sounded like a tremendous idea. I ran the command and created the export log.  When I searched for cifs -- it didn't find even 'one' though?  It's like the phantom duplicate?
0
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 500 total points
ID: 33672436

It should be somewhere, maybe another AD partition different to DC=student,DC=apsu,DC=edu

Example: "CN=Configuration,DC=student,DC=apsu,DC=edu" or the other ones (This is considering that your forest is DC=student,DC=apsu,DC=edu"

But the point is that if you had this error and you continue having it, it should be in one of the AD partitions

Scheman
Configuration
Domain
DNSForest
DNSDomain
Application



0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Script for Password Expire Notifications 7 113
finding who created AD 4 67
Renaming multiple file extensions using Powershell 4 38
Account lockouts 22 69
Normally after a failure of Domain Controller, when promoting new DC the DC is renamed, we will discuss the options in Dcpromo to re-create the DC with the same name. Scenario: You are a small IT shop with two Domain Controllers (Domain Contr…
I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now