We help IT Professionals succeed at work.

New podcast episode! Our very own Community Manager, Rob Jurd, gives his insight on the value of an online community. Listen Now!

x

Receiving Event ID 11 - But I don't see a Duplicate SPN

C Emmons
C Emmons asked
on
5,975 Views
Last Modified: 2012-05-10
I'm receiveing this error in the Event Log.  It's a new Windows 2008 R2 Domain Controller introduced into my Windows 2003 domain. The computer name is apbrsd2 - in the domain student.apsu.edu.

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/10/2010 3:17:44 PM
Event ID:      11
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      APBRSD2.student.apsu.edu
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is cifs/APBRSD2 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for cifs/APBRSD2 in Active Directory.
I see this from TechNet:  http://technet.microsoft.com/en-us/library/cc733945(WS.10).aspx

But when I run setSPN -X  -- there doesn't seem to be a duplicate SPN

C:\Windows\system32>setspn -X
Checking domain DC=student,DC=apsu,DC=edu
Processing entry 0
found 0 group of duplicate SPNs.

When I use -T -- and look across whole forest -- It shows 4 duplicate SPNs -- but not the one mentioned -- and I wondered across domains if that isn't normal?  I see no reference to cifs?
I also download a powershell module I found:
http://blog.powershell.no/2010/01/28/validate-spn-mappings-using-windows-powershell/
and it just falls back to the prompt when I execute the remove-allduplicatedomainSPNs -- I assume it doesn't find anything -- it doesn't say either way. (I did load the module and see the functions okay).  Anyone have any ideas?


     
Comment
Watch Question

Schnell SolutionsSystems Infrastructure Engineer
CERTIFIED EXPERT

Commented:

We can resolve it in a very easy way

go to one of your Domain Controllers and in the command prompt execute a LDIFDE command that export all your AD Dat, one example in order to make it is:

ldifde -x -f ldifde_ADdata.log

Them open this file with notepad and make a search/find for the name:
cifs/APBRSD2

And you will be able to notice that it is in more than one place, them check wich one of these SPN is incorrect and delete the incorrect one

C EmmonsAdmin

Author

Commented:
This sounded like a tremendous idea. I ran the command and created the export log.  When I searched for cifs -- it didn't find even 'one' though?  It's like the phantom duplicate?
Systems Infrastructure Engineer
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.