Event ID 11 — Service Principal Name Configuration
Applies To: Windows Server 2008
.jpg)
Service principal names (SPNs) are stored as a property of the associated account object in Active Directory Domain Services (AD DS). An SPN is used by Kerberos to uniquely identify an account that is requesting access to a resource.
Event Details
| Product: | Windows Operating System |
| ID: | 11 |
| Source: | Microsoft-Windows-Kerberos-Key-Distribution-Center |
| Version: | 6.0 |
| Symbolic Name: | KDCEVENT_NAME_NOT_UNIQUE |
| Message: | The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is %1 (of type %2). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for %1 in Active Directory. |
Resolve
Remove the duplicate service prinicipal name
Each service principal name (SPN) must be unique. Without unique principal names, the Kerberos client is not able to ensure that the server it is communicating with is the correct one. You must identify the duplicate SPN, and then remove it.
To perform these procedures, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.
Identify the duplicate SPN
To identify the duplicate SPN:
- Log on to the computer referenced in the event log message. If this computer is not running Windows Server 2008, you must download and install the Windows Server 2003 Resource Kit, which includes setspn.exe.
- Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Type setspn -X.
- The output of this command will show the duplicate SPNs.
- Use the following procedure to remove one of the duplicate SPNs.
Remove an SPN
To remove an SPN:
- Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Type setspn -D<SPN> <computer_name>, where SPN is the name of the duplicate SPN and computer_name is the name of the computer that is assigned the duplicate SPN.
Verify
To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.
To verify that the service principal name (SPN) was configured correctly:
- Log on to a domain controller.
- Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
- Type setspn -L <computer_name>, where computer_name is the name of the computer referenced in the event log message.
- The output of this command will show the SPN configured for this computer.
- If there are no duplicate entries, the SPNs are configured correctly.