Windows Server 2008 R2 SetSPN KDC Duplicate Names

I am running into this error on my PDC.  I can't log into the server with any accounts, but I do have member servers.  Full error:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is cifs/ (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for cifs/ in Active Directory.

When I run setspn -X the query doesn't have any results.   I am not 100% sure how to find the duplicate accounts other than what shows in the event viewer.  I have two accoutns showing cifs/ and host/.  I am not sure the best way to remove them as well.
Any thoughts there?
Thanks!
LVL 3
datadrewAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Randy DownsOWNERCommented:
Try this.

You don't need to actually search for duplicates - they are actually already listed in your original post i.e.:

CN=Administrator,CN=Users,DC=westpex,DC=com,DC=hk
Class: user
User Logon: Administrator
-- MSSQLSvc/db1.westpex.com.hk:1433
CN=DB1,CN=Computers,DC=westpex,DC=com,DC=hk
Class: computer
-- MSSQLSvc/db1.westpex.com.hk:1433

You should delete one of them - however, first, you need to determine which one is valid. SPNs are used to facilitate Kerberos authentication - in this case, it appears that it is providing Windows-integrated authentication against the SQL Server. Locate the westpex computer and find out what's the account in which secuirty context SQL Server service executes. If this is Administrator's account, delete the second one - otherwise (if this is a local System or Network Service account, delete the first one).

You can accomplish this using ADSIEdit.msc. After you launch the tool, drill down the Domain node and locate the account you identified in the previous step (i.e. the one for which you need to delete the SPN). Rigth-click on it and select Properties from the context senstive menu. In the Properties dialog box, scroll down to the ServicePrincipalName entry and click on Edit command button. In the Multi-valued String Editor dialog box, locate the value you want to remove and click on Remove command button.
datadrewAuthor Commented:
I read that, and it is terribly vague.  I am not exactly sure where to find the host/ and cifs/ users accounts in ADSIedit.
Randy DownsOWNERCommented:
Are you connected to the domain in ADSI? If so drilling down to hosts & Users shouldn't be a problem.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

datadrewAuthor Commented:
I am connected to the PDC via ADSIedit on the backup domain controller.  I don't see anything that says hosts, I do so see a users CN, but nothing in there has anything that I am looking for.  
From ADSIedit.
Connection point: default naming context
Path: LDAP://pdc.domain.local/default naming context
Computer: PDC
Randy DownsOWNERCommented:
look in computers or domain controllers to see if you can find a matching host
datadrewAuthor Commented:
There was nothing there, I did find it using LDP.exe

It was purged, and it does reappear.  I am looking for the service that is causing the multiple spn creation.
Randy DownsOWNERCommented:
How quickly does it reappear? If it's instantaneously shutting down services until it goes away should be easy enough. You could shut down several processes at once to speed up the process or even half of them to narrow the field. Since it's a live server you may want to do the troubleshooting after hours.
Randy DownsOWNERCommented:
maybe this article will help you locate the service.

If spn's are so critical for kerberos to work, why oh why is it so simple to create duplicate spn's in the AD?
a nice, simple ldap warning - duplicate field not allowed, would probably save hours/days of troubleshooting.
We've written our own SetSPN app that runs a simple search preventing our IIS admins from shooting themselves in the foot.
The best advice I've ever seen was this a call into Search.vbs:
Cscript "C:\Program Files\Support Tools\search.vbs" "LDAP://dc=Domain,dc=com" /C:"(serviceprincipalname=%1)" /S:Subtree /P:DistinguishedName  
Replacing dc=Domain,dc=com with our domain.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
datadrewAuthor Commented:
I will check out that article, but the duplicate usually pops up after about an hour or so.
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.