Solved

Receiving Event ID 11 - But I don't see a Duplicate SPN

Posted on 2010-09-10
3
4,275 Views
Last Modified: 2012-05-10
I'm receiveing this error in the Event Log.  It's a new Windows 2008 R2 Domain Controller introduced into my Windows 2003 domain. The computer name is apbrsd2 - in the domain student.apsu.edu.

Log Name:      System
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          9/10/2010 3:17:44 PM
Event ID:      11
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      APBRSD2.student.apsu.edu
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is cifs/APBRSD2 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for cifs/APBRSD2 in Active Directory.
I see this from TechNet:  http://technet.microsoft.com/en-us/library/cc733945(WS.10).aspx

But when I run setSPN -X  -- there doesn't seem to be a duplicate SPN

C:\Windows\system32>setspn -X
Checking domain DC=student,DC=apsu,DC=edu
Processing entry 0
found 0 group of duplicate SPNs.

When I use -T -- and look across whole forest -- It shows 4 duplicate SPNs -- but not the one mentioned -- and I wondered across domains if that isn't normal?  I see no reference to cifs?
I also download a powershell module I found:
http://blog.powershell.no/2010/01/28/validate-spn-mappings-using-windows-powershell/
and it just falls back to the prompt when I execute the remove-allduplicatedomainSPNs -- I assume it doesn't find anything -- it doesn't say either way. (I did load the module and see the functions okay).  Anyone have any ideas?


     
0
Comment
Question by:apsutechteam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 33654629

We can resolve it in a very easy way

go to one of your Domain Controllers and in the command prompt execute a LDIFDE command that export all your AD Dat, one example in order to make it is:

ldifde -x -f ldifde_ADdata.log

Them open this file with notepad and make a search/find for the name:
cifs/APBRSD2

And you will be able to notice that it is in more than one place, them check wich one of these SPN is incorrect and delete the incorrect one

0
 

Author Comment

by:apsutechteam
ID: 33662758
This sounded like a tremendous idea. I ran the command and created the export log.  When I searched for cifs -- it didn't find even 'one' though?  It's like the phantom duplicate?
0
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 500 total points
ID: 33672436

It should be somewhere, maybe another AD partition different to DC=student,DC=apsu,DC=edu

Example: "CN=Configuration,DC=student,DC=apsu,DC=edu" or the other ones (This is considering that your forest is DC=student,DC=apsu,DC=edu"

But the point is that if you had this error and you continue having it, it should be in one of the AD partitions

Scheman
Configuration
Domain
DNSForest
DNSDomain
Application



0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question