How to Delete Dup SPN

  • Thread starter Thread starter jokes54321
  • Start date Start date
J

jokes54321

Our SQL server has started acting flaky (RPC not talking to the domain) and
I found a duplicate SPN for the SQL services. One is under the server
account and the other is under the Administrator account. SQL runs as a
local system account so I assume I don't need the SPN under the
Administrator account.

I am trying to delete the SPN from the Administrator account using ADSIEdit
but I can't seem to figure out how to navigate to where that SPN is at to
delete it.

Any detailed instruction would be appreciated.

Denny
 
Generally you will see an event Kerberos 11.....which speaks of duplicate
spn.....you need to take an ldifde dump of that SPN and delete it from
ADSIEdit after identifying it.

Follow these steps :

1) From one DC, run the following command :

ldifde -f filename.txt -t 3268 -d "dc=domain name, dc=com" -l
serviceprincipalname -r "(serviceprincipalname=MSSQLSVC/*)" -p subtree.

Then open filename.txt file and check for the duplicate SPN.....you should
see 2 SPNs registered with different machines....each machine should have its
own SPN registered.

Once you identify the machine who has the duplicate SPN, open ADSIedit.msc
and navigate to the location of that machine.....then right click on that
machine and select properties->property to view->serviceprincipalname->remove
the duplicate one from here.

Once done, from that DC, run a command to force replication : repadmin
/syncall /P /d /e domain.com->you should see all the 3 partitions replicating
across all DCs across the enterprise and at last should see the following
message : syncall terminated with no errors.

Alternatively, you can always try and use replmon to force replication
between the DCs.

Once finished, refresh ur system log and expect no more kerberos 11 :))
 
Back
Top