Solved

Multiple SPN Error (Event ID 11) on Domain Controller

Posted on 2011-02-18
17
1,014 Views
Last Modified: 2012-05-11
Hi folks!

We are running several Windows Server 2003 R2 x64 SP2 servers. On our domain controller, I am periodically seeing event ID 11 in the system log, stating the following:

Event Type:	Error
Event Source:	KDC
Event Category:	None
Event ID:	11
Date:		2/18/2011
Time:		10:01:14 AM
User:		N/A
Computer:       [SERVER]
Description:
There are multiple accounts with name MSSQLSvc/[SERVER].[DOMAIN]:1433 of type DS_SERVICE_PRINCIPAL_NAME.

The server that is listed in the error is our MS SQL database server and also the application server for an application used throughout our organization. I have researched this error online, and have tried using the suggested methods to search for duplicate SPN's matching the server name. When I follow the instructions at this location...

http://blogs.dirteam.com/blogs/carlos/archive/2006/04/21/812.aspx

...I get the following output as a result:


dn: CN=[SERVER],CN=Computers,DC=[DOMAIN],DC=[DOMAIN],DC=[DOMAIN]
changetype: add
servicePrincipalName: MSSQLSvc/[SERVER].[DOMAIN]:1433
servicePrincipalName: WSMAN/[SERVER].[DOMAIN]
servicePrincipalName: HOST/[SERVER].[DOMAIN]
servicePrincipalName: WSMAN/[SERVER]
servicePrincipalName: HOST/[SERVER]

However, I do not understand SPN's well enough to really interpret that output and know whether it is normal or not.

Can anyone provide me some more information on this error and suggestions for dealing with it?

Thanks,
Ithizar
0
Comment
Question by:Ithizar
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 350 total points
ID: 34927511
The link below will tell you exactly what you need to do to get rid of the duplicate SPNs.

http://msmvps.com/blogs/vandooren/archive/2008/03/11/getting-rid-of-the-duplicate-spn-in-active-directory.aspx
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 150 total points
ID: 34931226
The following will list the duplicates:
SetSPN -X

You can then delete them by using the -D parameter.
0
 

Author Comment

by:Ithizar
ID: 35060207
I have tried what you have suggested, and am unable to identify the duplicate SPN. Maybe I'm just not understanding it. But what I posted above is the output of these attempts. Do you see a duplicate there?
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 
LVL 43

Expert Comment

by:Amit
ID: 35227065
Below is the solution for your issue
http://support.microsoft.com/kb/321044
0
 

Author Comment

by:Ithizar
ID: 35244618
As I have already said, I have used the tools to attempt to identify the duplicate SPN. And I have posted the output I am getting above. I am not seeing any duplicates in that output. That's what I don't understand. Do you see duplicates in what I posted?
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 35245595
>>I have used the tools to attempt to identify the duplicate SPN.<<
So you are saying that you tried the following and there were no results?
SetSPN -X
0
 

Author Comment

by:Ithizar
ID: 35498467
The -X switch does not appear to be a valid switch. When I use it, it simply displays a help screen listing the valid switches, of which that is not one.
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 35500575
Sure it is.  Perhaps you are using an older version.  This is what I get when I type setspn /?:
Usage: setspn [switches data] computername
  Where "computername" can be the name or domain\name

  Modifiers:
   -F = perform the duplicate checking on forestwide level
   -P = do not show progress (useful for redirecting output to file)
  Switches:
   -R = reset HOST ServicePrincipalName
    Usage:   setspn -R computername
   -A = add arbitrary SPN
    Usage:   setspn -A SPN computername
   -S = add arbitrary SPN after verifying no duplicates exist
    Usage:   setspn -S SPN computername
   -D = delete arbitrary SPN
    Usage:   setspn -D SPN computername
   -L = list registered SPNs
    Usage:   setspn [-L] computername
   -Q = query for existence of SPN
    Usage:   setspn -Q SPN
   -X = search for duplicate SPNs
    Usage:   setspn -X


Examples:
setspn -R daserver1
   It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"
setspn -A http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1"
setspn -D http/daserver daserver1
   It will delete SPN "http/daserver" for computer "daserver1"
setspn -F -S http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1" if no such SPN exists in the forest
0
 
LVL 75

Assisted Solution

by:Anthony Perkins
Anthony Perkins earned 150 total points
ID: 35500585
Yep, that is what it is.  See here:
New features in SETSPN.EXE on Windows Server 2008
http://blogs.msdn.com/b/saurabh_singh/archive/2009/01/09/new-features-in-setspn-exe-on-windows-server-2008.aspx
0
 

Author Comment

by:Ithizar
ID: 35500657
Well, we have a Server 2008 machine in the mix, but our domain controllers are both 2003. I can run SetSPN from the 2008 box, but will that work correctly with the 2003 DC's?
0
 
LVL 75

Expert Comment

by:Anthony Perkins
ID: 35501152
It is just a utility.  Use it where ever it works for you.
0
 

Author Comment

by:Ithizar
ID: 35765906
Continuing to work on this; will report back...
0
 

Author Comment

by:Ithizar
ID: 36934252
I've requested that this question be deleted for the following reason:

Never found a solution. Going to repost as a fresh question.
0
 

Author Comment

by:Ithizar
ID: 36934253
Got a solution. Cancelling delete request to close question and award points.
0
 

Author Closing Comment

by:Ithizar
ID: 36934255
Thanks everyone!
0

Featured Post

Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question