Multiple SPN Error (Event ID 11) on Domain Controller

Hi folks!

We are running several Windows Server 2003 R2 x64 SP2 servers. On our domain controller, I am periodically seeing event ID 11 in the system log, stating the following:

Event Type:	Error
Event Source:	KDC
Event Category:	None
Event ID:	11
Date:		2/18/2011
Time:		10:01:14 AM
User:		N/A
Computer:       [SERVER]
There are multiple accounts with name MSSQLSvc/[SERVER].[DOMAIN]:1433 of type DS_SERVICE_PRINCIPAL_NAME.

The server that is listed in the error is our MS SQL database server and also the application server for an application used throughout our organization. I have researched this error online, and have tried using the suggested methods to search for duplicate SPN's matching the server name. When I follow the instructions at this location...

...I get the following output as a result:

changetype: add
servicePrincipalName: MSSQLSvc/[SERVER].[DOMAIN]:1433
servicePrincipalName: WSMAN/[SERVER].[DOMAIN]
servicePrincipalName: HOST/[SERVER].[DOMAIN]
servicePrincipalName: WSMAN/[SERVER]
servicePrincipalName: HOST/[SERVER]

However, I do not understand SPN's well enough to really interpret that output and know whether it is normal or not.

Can anyone provide me some more information on this error and suggestions for dealing with it?

Who is Participating?
Darius GhassemConnect With a Mentor Commented:
The link below will tell you exactly what you need to do to get rid of the duplicate SPNs.
Anthony PerkinsConnect With a Mentor Commented:
The following will list the duplicates:

You can then delete them by using the -D parameter.
IthizarAuthor Commented:
I have tried what you have suggested, and am unable to identify the duplicate SPN. Maybe I'm just not understanding it. But what I posted above is the output of these attempts. Do you see a duplicate there?
Build your data science skills into a career

Are you ready to take your data science career to the next step, or break into data science? With Springboard’s Data Science Career Track, you’ll master data science topics, have personalized career guidance, weekly calls with a data science expert, and a job guarantee.

AmitIT ArchitectCommented:
Below is the solution for your issue
IthizarAuthor Commented:
As I have already said, I have used the tools to attempt to identify the duplicate SPN. And I have posted the output I am getting above. I am not seeing any duplicates in that output. That's what I don't understand. Do you see duplicates in what I posted?
Anthony PerkinsCommented:
>>I have used the tools to attempt to identify the duplicate SPN.<<
So you are saying that you tried the following and there were no results?
IthizarAuthor Commented:
The -X switch does not appear to be a valid switch. When I use it, it simply displays a help screen listing the valid switches, of which that is not one.
Anthony PerkinsCommented:
Sure it is.  Perhaps you are using an older version.  This is what I get when I type setspn /?:
Usage: setspn [switches data] computername
  Where "computername" can be the name or domain\name

   -F = perform the duplicate checking on forestwide level
   -P = do not show progress (useful for redirecting output to file)
   -R = reset HOST ServicePrincipalName
    Usage:   setspn -R computername
   -A = add arbitrary SPN
    Usage:   setspn -A SPN computername
   -S = add arbitrary SPN after verifying no duplicates exist
    Usage:   setspn -S SPN computername
   -D = delete arbitrary SPN
    Usage:   setspn -D SPN computername
   -L = list registered SPNs
    Usage:   setspn [-L] computername
   -Q = query for existence of SPN
    Usage:   setspn -Q SPN
   -X = search for duplicate SPNs
    Usage:   setspn -X

setspn -R daserver1
   It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"
setspn -A http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1"
setspn -D http/daserver daserver1
   It will delete SPN "http/daserver" for computer "daserver1"
setspn -F -S http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1" if no such SPN exists in the forest
Anthony PerkinsConnect With a Mentor Commented:
Yep, that is what it is.  See here:
New features in SETSPN.EXE on Windows Server 2008
IthizarAuthor Commented:
Well, we have a Server 2008 machine in the mix, but our domain controllers are both 2003. I can run SetSPN from the 2008 box, but will that work correctly with the 2003 DC's?
Anthony PerkinsCommented:
It is just a utility.  Use it where ever it works for you.
IthizarAuthor Commented:
Continuing to work on this; will report back...
IthizarAuthor Commented:
I've requested that this question be deleted for the following reason:

Never found a solution. Going to repost as a fresh question.
IthizarAuthor Commented:
Got a solution. Cancelling delete request to close question and award points.
IthizarAuthor Commented:
Thanks everyone!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.