Announcement

Collapse
No announcement yet.

KDC errors related tp spn

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • KDC errors related tp spn

    i have a server that is getting KDC error 11. Here it is listed below:

    There are multiple accounts with name MSSQLSvc/mrcsql2k.milrose-ny.com:1433 of type DS_SERVICE_PRINCIPAL_NAME.

    i did a setspn .exe -L
    and got the following result:

    C:\Documents and Settings\Administrator.MILROSE_PDC>setspn -L mrcsql2k
    Registered ServicePrincipalNames for CN=MRCSQL2K,CN=Computers,DC=milrose-ny,DC=c
    om:
    Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/mrcsql2k.milrose-ny.com
    HOST/mrcsql2k.milrose-ny.com
    HOST/MRCSQL2K
    MSSQLSvc/MRCSQL2K:1433
    MSSQLSvc/mrcsql2k.milrose-ny.com:1433
    Backup Exec System Recovery Agent 6.5/mrcsql2k.milrose-ny.com
    NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/mrcsql2k.milrose-ny.com
    DNS/mrcsql2k.milrose-ny.com

    what spn do i delete to resolve my issue?

    thanks

  • #2
    Re: KDC errors related tp spn

    What account is the SQL server running under?

    Comment


    • #3
      Re: KDC errors related tp spn

      Copy this scriptcode:
      http://www.microsoft.com/technet/scr.../spnquery.mspx
      save as c:\spnquery.vbs

      Run this command line:
      cscript "c:\spnquery.vbs" MSSQLSvc/mrcsql2k* >"c:\check_SPN.txt"

      Open c:\check_SPN.txt and search for the SPN that is reported in the event log.


      - http://support.microsoft.com/kb/321044
      - http://www.eventid.net/display.asp?e...ce=KDC&phase=1



      \Rems
      Last edited by Rems; 26th August 2008, 19:00.

      This posting is provided "AS IS" with no warranties, and confers no rights.

      __________________

      ** Remember to give credit where credit's due **
      and leave Reputation Points for meaningful posts

      Comment


      • #4
        Re: KDC errors related tp spn

        to answer your question....

        It runs as System service..

        Now i have another question...
        Do i run the script on the DC or the server in question?


        many thanks

        Comment


        • #5
          Re: KDC errors related tp spn

          Figured it it here are my results



          CN=Administrator,OU=System Accounts,DC=milrose-ny,DC=com
          Class: user
          User Logon: Administrator
          -- MSSQLSvc/mrcsql2k.milrose-ny.com:1433
          -- MSSQLSvc/mrcnysql1.milrose-ny.com:1433
          -- MSSQLSvc/mrcsql2kold.milrose-ny.com:1433
          -- MSSQLSvc/mrcsql01.milrose-ny.com:1433
          -- MSSQLSvc/mrcdev0:1433
          CN=MRCSQL2K,CN=Computers,DC=milrose-ny,DC=com
          Class: computer
          Computer DNS: mrcsql2k.milrose-ny.com
          -- Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/mrcsql2k.milrose-ny.com
          -- HOST/mrcsql2k.milrose-ny.com
          -- HOST/MRCSQL2K
          -- MSSQLSvc/MRCSQL2K:1433
          -- MSSQLSvc/mrcsql2k.milrose-ny.com:1433
          -- Backup Exec System Recovery Agent 6.5/mrcsql2k.milrose-ny.com
          -- NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/mrcsql2k.milrose-ny.com
          -- DNS/mrcsql2k.milrose-ny.com


          now what????

          Comment


          • #6
            Re: KDC errors related tp spn

            OOPS To late with my answer, didn't refreshed my screen

            Originally posted by mlabs View Post
            Do i run the script on the DC or the server in question?
            You can run it from any server that has joined the domain and has direct access the Global Catalog.

            Or run it from a GC server DC just to be sure.


            \Rems
            Last edited by Rems; 26th August 2008, 19:36.

            This posting is provided "AS IS" with no warranties, and confers no rights.

            __________________

            ** Remember to give credit where credit's due **
            and leave Reputation Points for meaningful posts

            Comment


            • #7
              Re: KDC errors related tp spn

              If the SQL service is running as System remove the MSSQLSvc/mrcsql2k.milrose-ny.com:1433 SPN from the Administrator account.

              Comment


              • #8
                Re: KDC errors related tp spn

                ok dumb question. .. but what would the command be to remove it?

                thanks.. many many thanks

                Comment


                • #9
                  Re: KDC errors related tp spn

                  Quote:
                  (http://blogs.technet.com/askds/archi...es-part-2.aspx)
                  ... we see duplicate Service Principal Name issues quite frequently. Usually this is when the Administrator has used the SetSPN on different accounts in an effort to get Kerberos Authentication to work. One great example of this is MS SQL. If you install MS SQL as an Administrator of the domain, it will add the MSSQLSVC SPN to the SQL Server’s computer account; later an Administrator changes the SQL Service startup account from Local System to a domain account and Kerberos Authentication starts to fail. Usually we will find that the MSSQLSVC SPN is configured on both the computer account as well as the domain user account that is used to run the service.


                  Since you should remove only the duplicate servicePrincipalName, you must do that manually by using ADSIEDIT.msc



                  To do this, follow these steps:
                  1. Start the ADSI Edit tool. To do this, click Start, click Run, type adsiedit.msc, and then click OK.
                    Note The ADSI Edit tool is included with the Windows Server 2003 Support Tools (register the dll: regsvr32 adsiedit.dll ).
                  2. Connect to a domain controller if ADSI Edit is not already connected to a domain controller.
                  3. Expand Domain [domainControllerName.example.com], expand DC=milrose-ny,DC=com, and then expand CN=System Accounts.
                    Note If the account for which you want to modify the SPN is located in a different container, modify this path as appropriate.
                  4. Right-click CN=Administrator, and then click Properties.
                  5. On the Attribute Editor tab, click to select both the following check boxes:
                    •Show mandatory attributes
                    •Show optional attributes
                  6. In the Attributes list, click servicePrincipalName, and then click Edit
                  7. In the Multi-valued String Editor dialog box, click MSSQLSvc/mrcsql2k.milrose-ny.com:1433, and then click Remove.
                  8. Click OK x times, and then exit the ADSI Edit tool.
                  However, there is also a tool called AdMod.exe that can do that,
                  ttp://www.joeware.net/freetools/tools/admod/index.htm
                  Code:
                  AdMod.exe -b CN=Administrator,OU=System Accounts,DC=milrose-ny,DC=com "ServicePrincipalName:-:MSSQLSvc/mrcsql2k.milrose-ny.com"

                  Note:
                  I never have performed any of the above steps myself!, no garanties.

                  Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. We cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.



                  \Rems

                  This posting is provided "AS IS" with no warranties, and confers no rights.

                  __________________

                  ** Remember to give credit where credit's due **
                  and leave Reputation Points for meaningful posts

                  Comment


                  • #10
                    Re: KDC errors related tp spn

                    setspn -d MSSQLSvc/mrcsql2k.milrose-ny.com:1433 Administrator

                    Comment

                    Working...
                    X