KDC Event I.D. 11
I was recently working on a customer site and notice in a significant number of System Event logs displayed the following error message.
There are multiple accounts with name MSSQLSvc/ABCServer.contoso.com:1433 of type DS_SERVICE_PRINCIPAL_NAME.
If you get the following message appearing in your System Event Log or something very similiar it needs to be dealt with.
What does it mean and what are the consequences ?
This error can be caused when the Service Principal Name (SPN) has been registered incorrectly for a service running on a server. Each service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. The SPN is registered in Active Directory under a user account as an attribute of the user account called a ServicePrincipalName
Multiple SPNs can cause clients to connect to the wrong system or the ticket may be encrypted with the wrong key. To remediate this the following steps should be undertaken. The aim of these steps is to locate the accounts which have duplicate SPNs, and then delete the one which has been verified by the Active Directory Support team as incorrect.
How can it be resolved?
To resolve this the following steps are required to be carried out;
1. From the domain controller, open a command prompt and then type the following string:
ldifde -f domain.txt -d “dc=domain,dc=com”
2. Open the text file in Notepad and then search for the SPN that is reported in the event log.
ServiceClass/host.domain.com
3. Note the user accounts under which the SPN is located and the organizational unit the accounts reside in….the userPrincipalName should be located directly above the servicePrincipalName registration as in the example below.
userPrincipalName: useraccount@domain.com
servicePrincipalName: ServiceClass/host.domain.com
Then once the above has been located carry out the following steps;
Either use ADsiedit or Setspn
Using ADSIEdit
1. Add ADSIEdit to the MMC and bind to the domain using the Domain well known naming context.
2. Navigate to each user account you previously documented as having a duplicate SPN registration and right click the account and select properties.
3. Scroll through the list of attributes until you see servicePrincipalName, double click servicePrincipalName and remove the duplicate SPN registration and click on OK and exit ADSIEdit.
Using SetSPN
1. From the command prompt type the following command and hit enter.
setspn -D ServiceClass/host.domain.com:Port AccountName
Reference the knowledge based articles below for usage of LDP and Asiedit, plus more information around Event I.D. 11
https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx
https://support.microsoft.com/kb/224543
https://support.microsoft.com/kb/260745
Comments
Anonymous
July 04, 2013
This is a perfect example of an issue I have, except that when I run ldifde -f domain.txt -d “dc=domain,dc=com” (with appropriate dc alterations), the results file (domain.txt) is empty. ummm... Any pointers?Anonymous
September 18, 2014
Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts.http://www.healthforus.infoAnonymous
February 26, 2015
If the document returns empty...make sure you have permissions....fixed it for meAnonymous
July 02, 2015
The comment has been removedAnonymous
July 11, 2015
https://www.linkedin.com/grp/post/6981021-6017297880677638145
https://www.linkedin.com/grp/post/8295703-5998360912258494467
https://www.facebook.com/WatchStraightOuttaComptonOnline
https://www.rebelmouse.com/WatchTheGiftOnline/
https://www.facebook.com/WatchInsideOutOnline
https://www.linkedin.com/grp/post/6980115-6017735463568158724
https://www.facebook.com/WatchMastermindsOnline
https://www.linkedin.com/grp/post/6980115-6017737638633549828
https://www.linkedin.com/grp/post/6973703-6017389460872769538
https://www.facebook.com/WatchTheTransporterRefueledOnline
https://www.facebook.com/WatchDarkPlacesOnline
https://www.rebelmouse.com/WatchFantasticFourOnline/
https://www.rebelmouse.com/WatchAmericanUltraOnline/
https://www.facebook.com/WatchAntmanOnlineNow
https://www.facebook.com/WatchAmyOnline
https://www.rebelmouse.com/WatchJaneGotaGunOnline/
https://www.facebook.com/WatchMaxOnline
https://www.linkedin.com/grp/post/6981021-6017330014037491716
https://www.facebook.com/WatchWarRoomOnline
https://www.linkedin.com/grp/post/6980115-6017737638633549828
https://www.rebelmouse.com/WatchRickiAndTheFlashOnline/
https://www.rebelmouse.com/MissionImpossible5RogueNation/
https://www.rebelmouse.com/WatchRegressionOnline/
https://www.facebook.com/WatchTheVisitOnline
https://www.facebook.com/WatchTheTransporterRefueledOnline
https://www.facebook.com/WatchHitmanAgent47Online
https://www.rebelmouse.com/WatchTheGiftOnline/
https://www.rebelmouse.com/WatchStraightOuttaCompton/
https://www.rebelmouse.com/WatchInsideOutOnline/
https://www.linkedin.com/grp/post/6973703-6017397215125852162
https://www.linkedin.com/grp/post/6971553-6011496519566376963
https://www.rebelmouse.com/WatchPaperTownsOnline/
https://www.facebook.com/WatchTheGallowsOnline
https://www.facebook.com/WatchMastermindsOnline
https://www.linkedin.com/grp/post/6975089-6015034074878468096
https://www.facebook.com/WatchTheGiftOnline
https://www.rebelmouse.com/WatchKitchenSinkOnline/
https://www.linkedin.com/grp/post/6980115-6017733578547290113
https://www.rebelmouse.com/WatchHitmanAgent47Online/
https://www.linkedin.com/grp/post/6975089-6015036398715822084
https://www.rebelmouse.com/WatchMinionsOnline/
https://www.rebelmouse.com/WatchAmyOnline/
https://www.linkedin.com/grp/post/6981021-6017300035971067904
https://www.rebelmouse.com/WatchSinister2Online/
https://www.rebelmouse.com/WatchBlackMassOnline/
https://www.facebook.com/WatchPaperTownsOnline
https://www.linkedin.com/grp/post/6975089-6015035803892207618
https://www.rebelmouse.com/WatchMaxOnline/
https://www.linkedin.com/grp/post/6975089-6015035619363807236
https://www.rebelmouse.com/WatchTransporterRefueledOnline/