KDC Error 11

  • Thread starter Thread starter John Rosenlof
  • Start date Start date
J

John Rosenlof

Hi,

I'm having a really hard time figuring this out and I was hoping somebody
here might be able to shed some light on this.

We keep getting KDC errors of type 11 in the system event log. They say
that there are multiple accounts with the name... and then it lists
different names in each message, but they are all based on the same computer
and they are all of type10.
Ex:
HOST/ATLANTA, HOST/ATLANTA.DOMAIN.COM, HOST/atlanta.DOMAIN.COM,
HOST/Atlanta, cifs/ATLANTA.DOMAIN.COM, cifs/ATLANTA,
HTTP/atlanta.DOMAIN.COM, HTTP/ATLANTA

I've read the KB article on how to find duplicate SPN's. LDP didn't help,
but the ldifde utility did. I printed out a file with our domain as a base
(dc=domain,dc=dom) and found multiple spn's under Atlanta's computer
account. I used ADSIEdit and found these spn's under the properties page of
cn=atlanta, cn=computers,dc=domain,dc=com. Here are the spn's from Atlanta:
HOST/ATLANTA
HOST/atlanta.DOMAIN.COM
MSSQLSvc/atlanta.DOMAIN.COM:4819
SMTPSVC/ATLANTA
SMTPSVC/atlanta.DOMAIN.COM

This server isn't running our SQL servers, but it is our CRM server. I'm
trying to figure out 1) how it came to have those duplicate spn's 2) what
the impact would be of deleting some (especially on CRM) 3) which ones to
delete 4) what cifs and HTTP have to do with those duplicate spn's if
they're not even listed in the spn list from atlanta.

Any ideas or help? Thanks a lot in advance.

-John
 
Hello John.
I had exactly same behavior when I used CRM on a domain controller that's
not recommended. The problem I had was that the administrator account had
got one of the same SPs as the server, So look into the service principal
names for the administrator account and see if you have a duplication there
with your server atlantas service principal names. I don't think I matters
here but are you running the SQL Server under the local system account? If
you are using a domain account as service account.
You can use setspn -A MSSQLSvc/foo.bar.com domain\account

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
Hi,

Thanks! That appears to be what it was. When I would use LDP to run the
search for the spn's it would keep returning the administrator account and
atlanta. I just thought that the instructions were wrong, but I guess not!
I would have never figured that out, thanks. Can I delete those from the
administrator account without messing up CRM?

Also, could you explain a little more fully about the stuff you said about
running SQL Server under the local system account? I'm not the database
expert, but I can figure it out. I just need a few more details. I really
appreciate all of your help. Thanks a lot.

-John
 
Hello John,
Yes you can remove the duplicated SPN from the administrator account, I'm
the ms ds expert and not the sql server expert either so it may be a good
idea to post the sql question into the sql server newsgroups.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
Back
Top