Announcement

Collapse
No announcement yet.

Duplicate SPN Entry

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Duplicate SPN Entry

    Hello Petri forum,

    We notice these messages in our eventlogs on our Windows Server 2003 SP2 domaincontrollers.

    There are multiple accounts with name MSSQLSvc/Host.Domain.Loc.
    of type DS_SERVICE_PRINCIPAL_NAME.

    EventID 11

    It is one of our SQL servers. First we tried to remove this system and its object from the domain, and add it again.

    I thougt it was also possible to solve this issue by removing the duplicate SPN entry with LDP.

    I connected LDP on our domaincontroller and queried it for the duplicate SPN entry. But it cannot be found. There is only one entry! Can someone help me out?

    Output from LDP:

    ld = ldap_open("", 326;
    Established connection to .
    Retrieving base DSA information...
    Result <0>: (null)
    Matched DNs:
    Getting 1 entries:
    >> Dn:
    1> currentTime: 07/03/2009 08:58:45 W. Europe Standard Time W. Europe Daylight Time;
    1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=Domain, DC=loc;
    1> dsServiceName: CN=NTDS Settings,CN=HostCN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=loc;
    5> namingContexts: DC=Domain,DC=loc; CN=Configuration,DC=Domain,DC=loc; CN=Schema,CN=Configuration,DC=Domain,DC=loc; DC=ForestDnsZones,DC=Domain,DC=loc; DC=DomainDnsZones,DC=Domain,DC=loc;
    1> defaultNamingContext: DC=Domain,DC=loc;
    1> schemaNamingContext: CN=Schema,CN=Configuration,DC=Domain,DC=loc;
    1> configurationNamingContext: CN=Configuration,DC=Domain,DC=loc;
    1> rootDomainNamingContext: DC=,DC=loc;
    23> supportedControl: 1.2.840.113556.1.4.319; 1.2.840.113556.1.4.801; 1.2.840.113556.1.4.473; 1.2.840.113556.1.4.528; 1.2.840.113556.1.4.417; 1.2.840.113556.1.4.619; 1.2.840.113556.1.4.841; 1.2.840.113556.1.4.529; 1.2.840.113556.1.4.805; 1.2.840.113556.1.4.521; 1.2.840.113556.1.4.970; 1.2.840.113556.1.4.1338; 1.2.840.113556.1.4.474; 1.2.840.113556.1.4.1339; 1.2.840.113556.1.4.1340; 1.2.840.113556.1.4.1413; 2.16.840.1.113730.3.4.9; 2.16.840.1.113730.3.4.10; 1.2.840.113556.1.4.1504; 1.2.840.113556.1.4.1852; 1.2.840.113556.1.4.802; 1.2.840.113556.1.4.1907; 1.2.840.113556.1.4.1948;
    2> supportedLDAPVersion: 3; 2;
    12> supportedLDAPPolicies: MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange;
    1> highestCommittedUSN: 12066132;
    4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;
    1> dnsHostName: Host.Domain.loc;
    1> ldapServiceName: Domain.loc:[email protected];
    1> serverName: CN=Host,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=loc;
    3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791;
    1> isSynchronized: TRUE;
    1> isGlobalCatalogReady: TRUE;
    1> domainFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
    1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );
    1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
    -----------
    res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 115; // v.3
    {NtAuthIdentity: User='administrator'; Pwd= <unavailable>; domain = 'Ourdomain'.}
    Authenticated as dn:'administrator'.a
    Expanding base 'dc=Domain,DC=loc'...
    Result <0>: (null)
    Matched DNs:
    Getting 1 entries:
    >> Dn: dc=Domain,DC=loc
    3> objectClass: top; domain; domainDNS;
    1> distinguishedName: DC=Domain,DC=loc;
    1> instanceType: 0x5 = ( DS_INSTANCETYPE_IS_NC_HEAD | IT_WRITE );
    1> whenCreated: 06/12/2002 18:13:53 W. Europe Standard Time W. Europe Daylight Time;
    1> whenChanged: 07/02/2009 20:02:15 W. Europe Standard Time W. Europe Daylight Time;
    3> subRefs: DC=DomainDnsZones,DC=Domain,DC=loc; DC=ForestDnsZones,DC=Domain,DC=loc; CN=Configuration,DC=Domain,DC=loc;
    1> uSNCreated: 11721;
    1> repsTo: dwVersion = 1, V1.cb: 281, V1.cConsecutiveFailures: 0 V1.timeLastSuccess: 12891074904 V1.timeLastAttempt: 12891074904 V1.ulResultLastAttempt: 0x0 V1.cbOtherDraOffset: 216 V1.cbOtherDra: 65 V1.ulReplicaFlags: 0x10 V1.rtSchedule: <ldp:skipped> V1.usnvec.usnHighObjUpdate: 0 V1.usnvec.usnHighPropUpdate: 0 V1.uuidDsaObj: f36f8a03-416d-4a75-b125-01370868c058 V1.uuidInvocId: 00000000-0000-0000-0000-000000000000 V1.uuidTransportObj: 00000000-0000-0000-0000-000000000000 V1~mtx_address: f36f8a03-416d-4a75-b125-01370868c058._msdcs.Hermansgroup.loc V1.cbPASDataOffset: 0 V1~PasData: version = -1, size = -1, flag = -1 ;
    1> repsFrom: dwVersion = 1, V1.cb: 281, V1.cConsecutiveFailures: 0 V1.timeLastSuccess: 12891077995 V1.timeLastAttempt: 12891077995 V1.ulResultLastAttempt: 0x0 V1.cbOtherDraOffset: 216 V1.cbOtherDra: 65 V1.ulReplicaFlags: 0x70 V1.rtSchedule: <ldp:skipped> V1.usnvec.usnHighObjUpdate: 13009479 V1.usnvec.usnHighPropUpdate: 13009479 V1.uuidDsaObj: f36f8a03-416d-4a75-b125-01370868c058 V1.uuidInvocId: 5d2a203c-c0f8-44cf-a574-ca52e78cbb1c V1.uuidTransportObj: 00000000-0000-0000-0000-000000000000 V1~mtx_address: f36f8a03-416d-4a75-b125-01370868c058._msdcs.Hermansgroup.loc V1.cbPASDataOffset: 0 V1~PasData: version = -1, size = -1, flag = -1 ;
    1> uSNChanged: 12060404;
    1> name: Our Compaany;
    1> objectGUID: 9f89ce95-8462-442e-a00d-76af36c2ad41;
    1> replUpToDateVector: <ldp error: cannot process UPDATE_VECTOR v.2>;
    1> objectSid: S-1-5-21-9395636-2083466211-1852903728;
    1> nTMixedDomain: 0;
    11> wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=Domain,DC=loc; B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft ,CN=Program Data,DC=Domain,,DC=loc; B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=Domain,,DC=loc; B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSe curityPrincipals,DC=Domain,,DC=loc; B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=Domain,,DC=loc; B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastru cture,DC=Domain,DC=loc; B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFo und,DC=Domain,,DC=loc; B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC =Domain,p,DC=loc; B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=Domain,DC=loc; B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers ,DC=Domain,,DC=loc; B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC= Domain,,DC=loc;
    1> objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=Domain,,DC=loc;
    1> gPLink: [LDAP://CN={FE462D15-13CB-4E95-8889-3EFE4DCD6532},CN=Policies,CN=System,DC=Domain,DC=l oc;0][LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=Domain,DC=l oc;1];
    2> masteredBy: CN=NTDS Settings,CN=Host ,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=loc; CN=NTDS Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,up,DC=loc ;
    2> msDs-masteredBy: CN=NTDS Settings,CN=,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,DC=loc; CN=NTDS Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Domain,,DC=loc;
    1> dc: DOMAIN;
    -----------
    ***Searching...
    ldap_search_s(ld, "DC=Domain,DC=loc", 2, "serviceprincipalname=host/Host.Domain.loc", attrList, 0, &msg)
    Result <0>: (null)
    Matched DNs:
    Getting 1 entries:
    >> Dn: CN=HOST,CN=Computers,DC=Domain,DC=loc
    5> objectClass: top; person; organizationalPerson; user; computer;
    1> cn: Host;
    1> distinguishedName: CN=Host,CN=Computers,DC=Domain,DC=loc;
    1> name: Host;
    1> canonicalName: Domain.loc/Computers/Host;
    Last edited by Carlson; 3rd July 2009, 13:37.

  • #2
    Re: Duplicate SPN Entry

    Is there someone who can help me with this problem?

    Thanks in advance.

    Comment


    • #3
      Re: Duplicate SPN Entry

      SPN's for MSSQLSvc are done on the service account not the computer account.

      Use adsiedit.msc to look at the ServicePrincipalName field on the user account you use to run the SQL services on that server.
      * Shamelessly mentioning "Don't forget to add reputation!"

      Comment


      • #4
        Re: Duplicate SPN Entry

        You gotta get rid of the faulty entries.
        G:\|>setspn
        Usage: setspn [switches data] computername
        Where "computername" can be the name or domain\name
        Switches:
        -R = reset HOST ServicePrincipalName
        Usage: setspn -R computername
        -A = add arbitrary SPN
        Usage: setspn -A SPN computername
        -D = delete arbitrary SPN
        Usage: setspn -D SPN computername
        -L = list registered SPNs
        Usage: setspn [-L] computername
        Examples:
        setspn -R daserver1
        It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"
        setspn -A http/daserver daserver1
        It will register SPN "http/daserver" for computer "daserver1"
        setspn -D http/daserver daserver1
        It will delete SPN "http/daserver" for computer "daserver1"


        I've seen this happaning a lot with SQL boxes...

        You might want to also look at:
        http://technet.microsoft.com/en-us/l.../cc961723.aspx
        http://technet.microsoft.com/en-us/l.../ms191153.aspx

        Regards.

        Comment

        Working...
        X