Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Duplicate names in AD causing kerberos errors

Posted on 2012-03-21
9
841 Views
Last Modified: 2012-03-29
I get this error twice every hour or so on all my dcs.
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/servername.domain.com:1433 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for MSSQLSvc/servername.domain.com:1433 in Active Directory.


when i ran a listing of all SPN entries. I see the server itself has the principal name listed as well as the sql administrator account.

all other talk of this error suggests removing the bad server SPN but not sure which isn't supposed to have the entry. Server or AdminAccount?

i tried rebinding to AD but that didn't resolve the errors.

any help would be great.
0
Comment
Question by:deeburp
  • 4
  • 4
9 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37747923
Try deleting the AdminAccount
0
 
LVL 1

Author Comment

by:deeburp
ID: 37747966
delete the admin account itself or just the SPN information about the server service that is on the account?

ie this below:

dn: CN=adminaccountsql,OU=Administrators,DC=domain,DC=com
changetype: add
servicePrincipalName: MSSQLSvc/devserver.domain.com:1433
servicePrincipalName: MSSQLSvc/servername.domain.com:1433
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37747975
So, you are using Admin account multiple SQL servers?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:deeburp
ID: 37748001
correct we have one used on both our production and dev servers
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37748113
Alright try using a different account for the other SQL service that might clear the dup up
0
 
LVL 1

Author Comment

by:deeburp
ID: 37748150
well we actually don't have the dev server anymore.. so perhaps i can just delete that entry from the admin account?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37748152
Yeah give that a shot
0
 
LVL 21

Accepted Solution

by:
snusgubben earned 500 total points
ID: 37749328
If the SQL service runs with the Network Service account, the SPN should be registered on the server object.

If the SQL service runs with a service account ("AdminAccount"), then the SPN should be registered on the user object.
0
 
LVL 1

Author Closing Comment

by:deeburp
ID: 37783174
looks like this worked.. i have just the adminaccount running as the service so i've removed the spn for the server itself. so far no errors in the dc logs
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question