asked on

Duplicate names in AD causing kerberos errors

I get this error twice every hour or so on all my dcs.
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/servername.domain.com:1433 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for MSSQLSvc/servername.domain.com:1433 in Active Directory.

when i ran a listing of all SPN entries. I see the server itself has the principal name listed as well as the sql administrator account.

all other talk of this error suggests removing the bad server SPN but not sure which isn't supposed to have the entry. Server or AdminAccount?

i tried rebinding to AD but that didn't resolve the errors.

any help would be great.

Darius Ghassem

Try deleting the AdminAccount

deeburp

ASKER

delete the admin account itself or just the SPN information about the server service that is on the account?

ie this below:

dn: CN=adminaccountsql,OU=Administrators,DC=domain,DC=com
changetype: add
servicePrincipalName: MSSQLSvc/devserver.domain.com:1433
servicePrincipalName: MSSQLSvc/servername.domain.com:1433

Darius Ghassem

So, you are using Admin account multiple SQL servers?

deeburp

ASKER

correct we have one used on both our production and dev servers

Darius Ghassem

Alright try using a different account for the other SQL service that might clear the dup up

deeburp

ASKER

well we actually don't have the dev server anymore.. so perhaps i can just delete that entry from the admin account?

Darius Ghassem

Yeah give that a shot

ASKER CERTIFIED SOLUTION

snusgubben

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

deeburp

ASKER

looks like this worked.. i have just the adminaccount running as the service so i've removed the spn for the server itself. so far no errors in the dc logs