Active Directory
--
Questions
--
Followers
Top Experts
Duplicate spn for MSSQLSvc, what to do?
Hello Experts!
My domain controller is giving a periodic error:
Kerberos-Key-Distribution-
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/computer.domain.c
I read up and there are suggestions to run setspn -x to get duplicate spn entries.
C:\Users\AdminUser3>setspn
Processing entry 0
MSSQLSvc/ComputerDB01.doma
CN=AdminUser1,OU=AdminUser
CN=AdminUser2,OU=AdminUser
MSSQLSvc//ComputerDB02.dom
CN=AdminUser1,OU=AdminUser
CN=ComputerDB02,OU=Managed
MSSQLSvc/ComputerDB02.doma
CN=AdminUser1,OU=AdminUser
CN=ComputerDB02,OU=Managed
MSSQLSvc/ComputerDB01.srho
CN=AdminUser1,OU=AdminUser
CN=AdminUser3,CN=Users,DC=
CN=ComputerDB01,OU=Managed
found 4 groups of duplicate SPNs.
So I have two separate spns one for each SQL Server and one for the SQL Server on port 1433. The first one has just two users on it, one of them on a disabled account. I removed that entry via adsi edit.
Reading some posts, there is comment as to which account should have the spn. What I see is that if your instance of SQL is running under Localsystem, that that computer should have the spn on it.
My questions. What is the best course of action here to clean up these records? These are critical servers that I do not want to bring down. Should all entries have the local computer account? What's the difference between the entry without a port and the one with the port 1433?
My domain controller is giving a periodic error:
Kerberos-Key-Distribution-
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/computer.domain.c
I read up and there are suggestions to run setspn -x to get duplicate spn entries.
C:\Users\AdminUser3>setspn
Processing entry 0
MSSQLSvc/ComputerDB01.doma
CN=AdminUser1,OU=AdminUser
CN=AdminUser2,OU=AdminUser
MSSQLSvc//ComputerDB02.dom
CN=AdminUser1,OU=AdminUser
CN=ComputerDB02,OU=Managed
MSSQLSvc/ComputerDB02.doma
CN=AdminUser1,OU=AdminUser
CN=ComputerDB02,OU=Managed
MSSQLSvc/ComputerDB01.srho
CN=AdminUser1,OU=AdminUser
CN=AdminUser3,CN=Users,DC=
CN=ComputerDB01,OU=Managed
found 4 groups of duplicate SPNs.
So I have two separate spns one for each SQL Server and one for the SQL Server on port 1433. The first one has just two users on it, one of them on a disabled account. I removed that entry via adsi edit.
Reading some posts, there is comment as to which account should have the spn. What I see is that if your instance of SQL is running under Localsystem, that that computer should have the spn on it.
My questions. What is the best course of action here to clean up these records? These are critical servers that I do not want to bring down. Should all entries have the local computer account? What's the difference between the entry without a port and the one with the port 1433?
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
You can use the SetSPN tool to remove clean up these SPNs :
http://technet.microsoft.com/en-us/library/cc755413(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc755413(WS.10).aspx
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Closing this out. I'm not having problems since making the change.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Active Directory
--
Questions
--
Followers
Top Experts
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.