Link to home
Start Free TrialLog in
Avatar of SPLAT-Tech
SPLAT-TechFlag for United States of America

asked on

KDC / Duplicate SPN - Ghost?

I am having an issue on one of my DCs. I keep getting an event log entry stating I have a duplicate SPN. The DC stops processing logins as a result.

The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is RPCSS/mis45 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for RPCSS/mis45 in Active Directory.

I am not however, able to find the duplicate SPN stated in the log entry.

C:\>setspn -X
Checking domain DC=splat,DC=com
Processing entry 11
found 0 group of duplicate SPNs.

C:\>setspn -l mis45
Registered ServicePrincipalNames for CN=MIS45,CN=Computers,DC=splat,DC=com:
        TERMSRV/mis45.splat.com
        RestrictedKrbHost/MIS45
        HOST/MIS45
        RestrictedKrbHost/MIS45.splat.com
        HOST/MIS45.splat.com
C:\>


I also ran the query at the Forrest level  and got 71 groups of duplicate entries on different systems. Some that don't exist anymore and some that still do including the mentioned culprit. The duplicates are however, on child domains. (I will deal with those later)

Why can't I find the duplicate SPN?
Could the duplicate SPN mentioned be in one of the child domains?
Why is only this DC getting the log entry?
Avatar of motnahp00
motnahp00
Flag of United States of America image

Did you clone any of your DCs?
Avatar of SPLAT-Tech

ASKER

No cloning.  They were all setup clean.
Avatar of compdigit44
compdigit44

Was this server rebuilt using the same host name? If so, was is properly removed from the domain?

What were the last changes you made in your enviroment before this error started?
The server is a new DC.  Nothing has been done to that server.  The only changes that have happened on the domain is that we have been demoting satellite DCs.  

I have demoted 50+ DCs over the past 6 months. All of the sites that used to have DCs are now looking to the affected DC for authentication.
Do you have your Active Directory and Sites configured correctly with site names and subnets?
Absoulutely. Has been checked and verified several times.
Where there any FSMO roles on the server?

Have you tried to use NTDSUTIL to see if there are any remains of the old server still present in AD??
ASKER CERTIFIED SOLUTION
Avatar of motnahp00
motnahp00
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Tried and failed before posting the issue.  Tried it again just for kicks. Still happening.
CompDigit... there are no FSMO roles on this server. All servers have been removed properly.
WHen you ran the repadmin /syncall you stated it failed. If this is the case, this would explain by parts of our old servers are still showing up in AD. How we have to figure out why replication is broken.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Compdigit... I meant failed as in "failed to fix the issue".

Problem is fixed.
I ran SETSPN -F -X and got 82 hits of duplicate SPN groups.  I zapped each one of them untill they were all gone.  
Then I ran another sync with REPADMIN /SYNCALL DCNAME DC=DOMAIN,DC=LOCAL /D /E

Have not had the issue since.  The interesting thing is that none of the duplicate SPNs were from the DCs that were removed. They were all from existing corporate office systems.

Thanks for the suggestions and the help.
Great questions and suggestions.

Hello SPLAT-Tech 

may I kindly ask you, how did you zap them?

I have seeveral found like this:

HOST/atads001.aa.xxx.yyy is registered on these accounts:
        CN=ATADS001\0ACNF:a757649c-f8bc-429d-88ce-8e02f97276a7,OU=Domain Controllers,DC=aa,DC=xxx,DC=yyy
        CN=ATADS001,OU=Domain Controllers,DC=aa,DC=xxx,DC=yyy


and I am unable to remove the one with 0ACNF trying with this command:

setspn -D HOST/atads001.aa.xxx.yyy ATADS001\0ACNF:a757649c-f8bc-429d-88ce-8e02f97276a7


Any hints how to remove it?

Thanks!