• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4652
  • Last Modified:

Receiving Event ID 11 - But I don't see a Duplicate SPN

I'm receiveing this error in the Event Log.  It's a new Windows 2008 R2 Domain Controller introduced into my Windows 2003 domain. The computer name is apbrsd2 - in the domain student.apsu.edu.

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/10/2010 3:17:44 PM
Event ID:      11
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      APBRSD2.student.apsu.edu
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is cifs/APBRSD2 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for cifs/APBRSD2 in Active Directory.
I see this from TechNet:  http://technet.microsoft.com/en-us/library/cc733945(WS.10).aspx

But when I run setSPN -X  -- there doesn't seem to be a duplicate SPN

C:\Windows\system32>setspn -X
Checking domain DC=student,DC=apsu,DC=edu
Processing entry 0
found 0 group of duplicate SPNs.

When I use -T -- and look across whole forest -- It shows 4 duplicate SPNs -- but not the one mentioned -- and I wondered across domains if that isn't normal?  I see no reference to cifs?
I also download a powershell module I found:
http://blog.powershell.no/2010/01/28/validate-spn-mappings-using-windows-powershell/
and it just falls back to the prompt when I execute the remove-allduplicatedomainSPNs -- I assume it doesn't find anything -- it doesn't say either way. (I did load the module and see the functions okay).  Anyone have any ideas?


     
0
apsutechteam
Asked:
apsutechteam
  • 2
1 Solution
 
Schnell SolutionsSystems Infrastructure EngineerCommented:

We can resolve it in a very easy way

go to one of your Domain Controllers and in the command prompt execute a LDIFDE command that export all your AD Dat, one example in order to make it is:

ldifde -x -f ldifde_ADdata.log

Them open this file with notepad and make a search/find for the name:
cifs/APBRSD2

And you will be able to notice that it is in more than one place, them check wich one of these SPN is incorrect and delete the incorrect one

0
 
apsutechteamAuthor Commented:
This sounded like a tremendous idea. I ran the command and created the export log.  When I searched for cifs -- it didn't find even 'one' though?  It's like the phantom duplicate?
0
 
Schnell SolutionsSystems Infrastructure EngineerCommented:

It should be somewhere, maybe another AD partition different to DC=student,DC=apsu,DC=edu

Example: "CN=Configuration,DC=student,DC=apsu,DC=edu" or the other ones (This is considering that your forest is DC=student,DC=apsu,DC=edu"

But the point is that if you had this error and you continue having it, it should be in one of the AD partitions

Scheman
Configuration
Domain
DNSForest
DNSDomain
Application



0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now