Jaa


Domain doesn't know about my computer account? I vouch for my computer, you can trust me...

Had an issue where a server would not allow logon via termian services each time you attempted to logon it would return this:

 

 

Soooooooooo, what to do here? 

First, we made sure the account existed in the directory since that's why it appeared to be complaining.  So I opened LDP and verified it existed, and that all "checked out" with being healthy (stare and compare against a good object).

Second thing we did was crank up netlogon debug logging (nltest dbflag) and see what it showed.  It was complaining of a lot of stuff but nothing conclusive unfortunately.  So at that point it was time to move to event viewer.  The "nice" thing about this issue was that the server was accessible via the network with the same account that was failing to TS so I could do some of the investigation remotely.

One event in particular struck me:

Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 7/31/2008 4:11:24 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: BRAD-SRV-01.braddom.bradforest.com
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 23:11:24.0000 7/31/2008 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error: 0xc0000035 KLIN(0)
Client Realm:
Client Name:
Server Realm: braddom.bradforest.COM
Server Name: host/BRAD-SRV-01.braddom.bradforest.com
Target Name: host/BRAD-SRV-01.braddom.bradforest.com@braddom.bradforest.COM
Error Text:
File: 9
Line: d86
Error Data is in record data.

Using err.exe I resolved the error code and found there was a collision:

C:\localbin>err 0xc0000035
# for hex 0xc0000035 / decimal -1073741771 :
STATUS_OBJECT_NAME_COLLISION ntstatus.h
# Object Name already exists.
# 1 matches found for "0xc0000035"

 

At this point it's time to look for a collision of "host/BRAD-SRV-01.braddom.bradforest.com" in the forest.  The easiest way to do it is use a nice script called querySPN.vbs.

C:\localbin>querySPN.vbs HOST/BRAD-SRV-01.braddom.bradforest.com braddom.bradforest.com
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

CN=VL Account,CN=Users,DC=braddom,DC=bradforest,DC=com
Class: user
User Logon: VLSBST
-- host/BRAD-SRV-01.braddom.bradforest.com <----------------------------------------------------------------- Bingo the SPN is registered for two objects!

CN=BRAD-SRV-01,CN=Computers,DC=braddom,DC=bradforest,DC=com
Class: computer
Computer DNS: BRAD-SRV-01.braddom.bradforest.com
-- TERMSRV/BRAD-SRV-01.braddom.bradforest.com
-- TERMSRV/BRAD-SRV-01
-- HOST/BRAD-SRV-01
-- HOST/BRAD-SRV-01.braddom.bradforest.com <-----------------------------------------------------------------

 

Once we removed the SPN from the user account, logons began to immediately work.

 

-B

Comments

  • Anonymous
    January 01, 2003
    Dude, you absolutely ROCK! Nice find! I've been looking for a duplicated SPN for a SQL server for ages and couldn't find it. In fact, until today I didn't even know the dup was the problem. I didn't know it was such a problem with SQL and kerberos either. Thanks for the useful error messages MS!

  • Anonymous
    June 06, 2009
    Thank you very much.  AD didn't handle the renaming of a server well, and left some cruft behind.  Thanks to you, I was able to find and remove it.

  • Anonymous
    June 11, 2009
    Thanks!!! That is EXACTLY the solution I have been searching for - found a duplicate machine with the SPN stuck on it. Removed the duplicate SPN with ADSI Edit and was immediately able to log in.

  • Anonymous
    September 02, 2009
    Brad, cool trick with the script...but. How did you end up with an SPN associated with your user account?  Is that a common happening?

  • Anonymous
    April 16, 2013
    Sweet!!! Been working on this issue all day and finally came across this post and fixed. Great catch!! Thanks!