asked on
Which duplicate SQL spn should I delete?
Server 2008 R2, SQL server 2010.
The event viewer on my domain controller in the system log shows:
SetSPN -X ran on the SQL server shows that there are 2 groups of duplicate SPNs:
I gather that I should have one entry for the server account, plus an entry for the server account plus port 1433 like this:
or one entry for the administrator user account, plus an entry for the administrator user account plus port 1433 like this:
However, I should not have my existing entries that lists both the administrator account and the server account. The problem is I don't know if I should delete the server account entry or the user account entry.
In the SQL Server Configuration Manager (Local)>SQL Server Services>SQL Server (MSSQLSERVER) the Log On As column shows Adminstrator@contoso.local
However, there are other services in that detail pane [SQL Server Browser, SQL Server Reporting Services (MSSQLSERVER)] that show NT Authority\LOCALSERVICE and NT Authority\NetworkService respectively in the Log On As column. I'm not sure if the network service and or local service entries in the Log On As column mean that I need to have the SPN entries for the server account that have the second line that reads "CN=Server1, OU=SQL Servers, DC=contoso, DC=local".
Which of the duplicate SPNs is the record that I need to keep and which do I need to delete? I've seen posts where someone deleted the wrong one and all hell broke loose.
The event viewer on my domain controller in the system log shows:
Event 11 the KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/server1.contoso.l
SetSPN -X ran on the SQL server shows that there are 2 groups of duplicate SPNs:
MSSQLSvc/server1.contoso.l
CN=Administrator, CN=Users, DC=contoso, DC=local
CN=Server1, OU=SQL Servers, DC=contoso, DC=local
MSSQLSvc/server1.contoso.l
CN=Administrator,CN=Users,
CN=Server1,OU+SQL Servers,DC=contoso,DC=loca
found 2 groups of duplicate SPNs.
I gather that I should have one entry for the server account, plus an entry for the server account plus port 1433 like this:
MSSQLSvc/server1.contoso.l
[
CN=Server1, OU=SQL Servers, DC=contoso, DC=local
MSSQLSvc/server1.contoso.l
CN=Server1,OU+SQL Servers,DC=contoso,DC=loca
or one entry for the administrator user account, plus an entry for the administrator user account plus port 1433 like this:
MSSQLSvc/server1.contoso.l
CN=Administrator, CN=Users, DC=contoso, DC=local
MSSQLSvc/server1.contoso.l
CN=Administrator,CN=Users,
However, I should not have my existing entries that lists both the administrator account and the server account. The problem is I don't know if I should delete the server account entry or the user account entry.
In the SQL Server Configuration Manager (Local)>SQL Server Services>SQL Server (MSSQLSERVER) the Log On As column shows Adminstrator@contoso.local
However, there are other services in that detail pane [SQL Server Browser, SQL Server Reporting Services (MSSQLSERVER)] that show NT Authority\LOCALSERVICE and NT Authority\NetworkService respectively in the Log On As column. I'm not sure if the network service and or local service entries in the Log On As column mean that I need to have the SPN entries for the server account that have the second line that reads "CN=Server1, OU=SQL Servers, DC=contoso, DC=local".
Which of the duplicate SPNs is the record that I need to keep and which do I need to delete? I've seen posts where someone deleted the wrong one and all hell broke loose.
Microsoft SQL Server
Last Comment
Vitor Montalvão