Solved

Event 11 Error: The KDC encountered duplicate names while processing a Kerberos authentication request.

Posted on 2011-03-22
3
6,431 Views
Last Modified: 2012-05-11
Hi guys, we have this error coming up on our DC... Server 2008R2.... domain trust 2003....

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/WGE-PER-SQL-01.wge.internal:1433 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for MSSQLSvc/WGE-PER-SQL-01.wge.internal:1433 in Active Directory.

and this one which seems to be identical except for the name being in lowercase....

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/wge-per-sql-01.wge.internal:1433 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for MSSQLSvc/wge-per-sql-01.wge.internal:1433 in Active Directory.

and this one.....

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/COMPAQ_SQL.wge.internal:1433 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for MSSQLSvc/COMPAQ_SQL.wge.internal:1433 in Active Directory.

Found this technet post which seems to be relevant to some degree but couldn't work out what i need to delete...

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ba6a67c2-ee45-4dcc-9ce4-fb6ebceb1c2a/

These are the results of the spnquery.vbs run on the DC......

cscript spnquery.vbs MSSQLSvc/COMPAQ_SQL.wge.internal:1433

CN=Administrator,CN=Users,DC=wge,DC=internal
Class: user
User Logon: Administrator
-- MSSQLSvc/compaq_sql.wge.internal:1433
-- MSSQLSvc/WGE-MEL-APP-01.wge.internal:SQLEXPRESS
-- MSSQLSvc/WGE-MEL-APP-01.wge.internal:52989
-- MSSQLSvc/persurf55.wge.internal:1433

CN=admin.sql,CN=Users,DC=wge,DC=internal
Class: user
User Logon: admin.sql
-- MSSQLSvc/wge-per-sql-01.wge.internal
-- MSSQLSvc/wge-per-sql-01.wge.internal:1433
-- MSSQLSvc/WGE-SYD-APP-01.wge.internal:49491
-- MSSQLSvc/WGE-SYD-APP-01.wge.internal:SQLEXPRESS
-- MSSQLSvc/compaq_sql.wge.internal:1433

cscript spnquery.vbs MSSQLSvc/wge-per-sql-01.wge.internal:1433

CN=WGE-PER-SQL-01,OU=Servers,OU=Perth,OU=WGE Sites,DC=wge,DC=internal
Class: computer
Computer DNS: WGE-PER-SQL-01.wge.internal
-- MSSQLSvc/wge-per-sql-01.wge.internal
-- MSSQLSvc/wge-per-sql-01.wge.internal:1433
-- WSMAN/wge-per-sql-01
-- WSMAN/wge-per-sql-01.wge.internal
-- TERMSRV/wge-per-sql-01.wge.internal
-- TERMSRV/WGE-PER-SQL-01
-- RestrictedKrbHost/WGE-PER-SQL-01
-- HOST/WGE-PER-SQL-01
-- RestrictedKrbHost/WGE-PER-SQL-01.wge.internal
-- HOST/WGE-PER-SQL-01.wge.internal

CN=admin.sql,CN=Users,DC=wge,DC=internal
Class: user
User Logon: admin.sql
-- MSSQLSvc/wge-per-sql-01.wge.internal
-- MSSQLSvc/wge-per-sql-01.wge.internal:1433
-- MSSQLSvc/WGE-SYD-APP-01.wge.internal:49491
-- MSSQLSvc/WGE-SYD-APP-01.wge.internal:SQLEXPRESS
-- MSSQLSvc/compaq_sql.wge.internal:1433

cscript spnquery.vbs MSSQLSvc/WGE-PER-SQL-01.wge.internal:1433

CN=WGE-PER-SQL-01,OU=Servers,OU=Perth,OU=WGE Sites,DC=wge,DC=internal
Class: computer
Computer DNS: WGE-PER-SQL-01.wge.internal
-- MSSQLSvc/wge-per-sql-01.wge.internal
-- MSSQLSvc/wge-per-sql-01.wge.internal:1433
-- WSMAN/wge-per-sql-01
-- WSMAN/wge-per-sql-01.wge.internal
-- TERMSRV/wge-per-sql-01.wge.internal
-- TERMSRV/WGE-PER-SQL-01
-- RestrictedKrbHost/WGE-PER-SQL-01
-- HOST/WGE-PER-SQL-01
-- RestrictedKrbHost/WGE-PER-SQL-01.wge.internal
-- HOST/WGE-PER-SQL-01.wge.internal

CN=admin.sql,CN=Users,DC=wge,DC=internal
Class: user
User Logon: admin.sql
-- MSSQLSvc/wge-per-sql-01.wge.internal
-- MSSQLSvc/wge-per-sql-01.wge.internal:1433
-- MSSQLSvc/WGE-SYD-APP-01.wge.internal:49491
-- MSSQLSvc/WGE-SYD-APP-01.wge.internal:SQLEXPRESS
-- MSSQLSvc/compaq_sql.wge.internal:1433


Any Ideas experts?
0
Comment
Question by:WGE_ENRB
3 Comments
 

Author Comment

by:WGE_ENRB
ID: 35196235
Additionally I have the following Results...

C:\>setspn -x
Checking domain DC=wge,DC=internal
Processing entry 4
MSSQLSvc/compaq_sql.wge.internal:1433 is registered on these accounts:
        CN=admin.sql,CN=Users,DC=wge,DC=internal
        CN=Administrator,CN=Users,DC=wge,DC=internal

MSSQLSvc/wge-per-sql-01.wge.internal:1433 is registered on these accounts:
        CN=admin.sql,CN=Users,DC=wge,DC=internal
        CN=WGE-PER-SQL-01,OU=Servers,OU=Perth,OU=WGE Sites,DC=wge,DC=internal

MSSQLSvc/wge-per-sql-01.wge.internal is registered on these accounts:
        CN=admin.sql,CN=Users,DC=wge,DC=internal
        CN=WGE-PER-SQL-01,OU=Servers,OU=Perth,OU=WGE Sites,DC=wge,DC=internal

MSSQLSvc/WGE-MEL-APP-01.wge.internal:52989 is registered on these accounts:
        CN=Administrator,CN=Users,DC=wge,DC=internal
        CN=WGE-MEL-APP-01,OU=Servers,OU=Melbourne,OU=WGE Sites,DC=wge,DC=internal

MSSQLSvc/WGE-MEL-APP-01.wge.internal:SQLEXPRESS is registered on these accounts:

        CN=Administrator,CN=Users,DC=wge,DC=internal
        CN=WGE-MEL-APP-01,OU=Servers,OU=Melbourne,OU=WGE Sites,DC=wge,DC=internal

found 5 groups of duplicate SPNs.
0
 
LVL 3

Expert Comment

by:barane
ID: 35196277
Your Event log triggers duplicate names as: MSSQLSvc/wge-per-sql-01.wge.internal:1433,
MSSQLSvc/WGE-PER-SQL-01.wge.internal:1433 ,

Just delete this duplicate entires
0
 
LVL 8

Accepted Solution

by:
ActiveDirectoryman earned 500 total points
ID: 35196329

THIS IS WILL SHOW YOU STEP BY STEP HOW TO REMOVE THE DUPLICATE SPNS
http://social.technet.microsoft.com/Forums/en/winservergen/thread/09a86d74-de48-4bda-9cc9-435da4f59910
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question