Solved

Multiple SPN Error (Event ID 11) on Domain Controller

Posted on 2011-02-18
17
1,002 Views
Last Modified: 2012-05-11
Hi folks!

We are running several Windows Server 2003 R2 x64 SP2 servers. On our domain controller, I am periodically seeing event ID 11 in the system log, stating the following:

Event Type:	Error
Event Source:	KDC
Event Category:	None
Event ID:	11
Date:		2/18/2011
Time:		10:01:14 AM
User:		N/A
Computer:       [SERVER]
Description:
There are multiple accounts with name MSSQLSvc/[SERVER].[DOMAIN]:1433 of type DS_SERVICE_PRINCIPAL_NAME.

The server that is listed in the error is our MS SQL database server and also the application server for an application used throughout our organization. I have researched this error online, and have tried using the suggested methods to search for duplicate SPN's matching the server name. When I follow the instructions at this location...

http://blogs.dirteam.com/blogs/carlos/archive/2006/04/21/812.aspx

...I get the following output as a result:


dn: CN=[SERVER],CN=Computers,DC=[DOMAIN],DC=[DOMAIN],DC=[DOMAIN]
changetype: add
servicePrincipalName: MSSQLSvc/[SERVER].[DOMAIN]:1433
servicePrincipalName: WSMAN/[SERVER].[DOMAIN]
servicePrincipalName: HOST/[SERVER].[DOMAIN]
servicePrincipalName: WSMAN/[SERVER]
servicePrincipalName: HOST/[SERVER]

However, I do not understand SPN's well enough to really interpret that output and know whether it is normal or not.

Can anyone provide me some more information on this error and suggestions for dealing with it?

Thanks,
Ithizar
0
Comment
Question by:Ithizar
17 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 350 total points
ID: 34927511
The link below will tell you exactly what you need to do to get rid of the duplicate SPNs.

http://msmvps.com/blogs/vandooren/archive/2008/03/11/getting-rid-of-the-duplicate-spn-in-active-directory.aspx
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 150 total points
ID: 34931226
The following will list the duplicates:
SetSPN -X

You can then delete them by using the -D parameter.
0
 

Author Comment

by:Ithizar
ID: 35060207
I have tried what you have suggested, and am unable to identify the duplicate SPN. Maybe I'm just not understanding it. But what I posted above is the output of these attempts. Do you see a duplicate there?
0
 
LVL 41

Expert Comment

by:Amit
ID: 35227065
Below is the solution for your issue
http://support.microsoft.com/kb/321044
0
 

Author Comment

by:Ithizar
ID: 35244618
As I have already said, I have used the tools to attempt to identify the duplicate SPN. And I have posted the output I am getting above. I am not seeing any duplicates in that output. That's what I don't understand. Do you see duplicates in what I posted?
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 35245595
>>I have used the tools to attempt to identify the duplicate SPN.<<
So you are saying that you tried the following and there were no results?
SetSPN -X
0
 

Author Comment

by:Ithizar
ID: 35498467
The -X switch does not appear to be a valid switch. When I use it, it simply displays a help screen listing the valid switches, of which that is not one.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 35500575
Sure it is.  Perhaps you are using an older version.  This is what I get when I type setspn /?:
Usage: setspn [switches data] computername
  Where "computername" can be the name or domain\name

  Modifiers:
   -F = perform the duplicate checking on forestwide level
   -P = do not show progress (useful for redirecting output to file)
  Switches:
   -R = reset HOST ServicePrincipalName
    Usage:   setspn -R computername
   -A = add arbitrary SPN
    Usage:   setspn -A SPN computername
   -S = add arbitrary SPN after verifying no duplicates exist
    Usage:   setspn -S SPN computername
   -D = delete arbitrary SPN
    Usage:   setspn -D SPN computername
   -L = list registered SPNs
    Usage:   setspn [-L] computername
   -Q = query for existence of SPN
    Usage:   setspn -Q SPN
   -X = search for duplicate SPNs
    Usage:   setspn -X


Examples:
setspn -R daserver1
   It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"
setspn -A http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1"
setspn -D http/daserver daserver1
   It will delete SPN "http/daserver" for computer "daserver1"
setspn -F -S http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1" if no such SPN exists in the forest
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 150 total points
ID: 35500585
Yep, that is what it is.  See here:
New features in SETSPN.EXE on Windows Server 2008
http://blogs.msdn.com/b/saurabh_singh/archive/2009/01/09/new-features-in-setspn-exe-on-windows-server-2008.aspx
0
 

Author Comment

by:Ithizar
ID: 35500657
Well, we have a Server 2008 machine in the mix, but our domain controllers are both 2003. I can run SetSPN from the 2008 box, but will that work correctly with the 2003 DC's?
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 35501152
It is just a utility.  Use it where ever it works for you.
0
 

Author Comment

by:Ithizar
ID: 35765906
Continuing to work on this; will report back...
0
 

Author Comment

by:Ithizar
ID: 36934252
I've requested that this question be deleted for the following reason:

Never found a solution. Going to repost as a fresh question.
0
 

Author Comment

by:Ithizar
ID: 36934253
Got a solution. Cancelling delete request to close question and award points.
0
 

Author Closing Comment

by:Ithizar
ID: 36934255
Thanks everyone!
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
Synchronize a new Active Directory domain with an existing Office 365 tenant
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now