KDC Event I.D. 11


I was recently working on a customer site and notice in a significant number of System Event logs displayed the following error message.

There are multiple accounts with name MSSQLSvc/ABCServer.contoso.com:1433 of type DS_SERVICE_PRINCIPAL_NAME.

If you get the following message appearing in your System Event Log or something very similiar it needs to be dealt with.

What does it mean and what are the consequences ?

This error can be caused when the Service Principal Name (SPN) has been registered incorrectly for a service running on a server. Each service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. The SPN is registered in Active Directory under a user account as an attribute of the user account called a ServicePrincipalName

Multiple SPNs can cause clients to connect to the wrong system or the ticket may be encrypted with the wrong key. To remediate this the following steps should be undertaken. The aim of these steps is to locate the accounts which have duplicate SPNs, and then delete the one which has been verified by the Active Directory Support team as incorrect.

How can it be resolved?

To resolve this the following steps are required to be carried out;

1. From the domain controller, open a command prompt and then type the following string:
ldifde -f domain.txt -d “dc=domain,dc=com”
2. Open the text file in Notepad and then search for the SPN that is reported in the event log.
ServiceClass/host.domain.com


3. Note the user accounts under which the SPN is located and the organizational unit the accounts reside in….the userPrincipalName should be located directly above the servicePrincipalName registration as in the example below.
userPrincipalName: useraccount@domain.com
servicePrincipalName: ServiceClass/host.domain.com

Then once the above has been located carry out the following steps;
Either use ADsiedit or Setspn

Using ADSIEdit
1. Add ADSIEdit to the MMC and bind to the domain using the Domain well known naming context.
2. Navigate to each user account you previously documented as having a duplicate SPN registration and right click the account and select properties.
3. Scroll through the list of attributes until you see servicePrincipalName, double click servicePrincipalName and remove the duplicate SPN registration and click on OK and exit ADSIEdit.


Using SetSPN
1. From the command prompt type the following command and hit enter.
setspn -D ServiceClass/host.domain.com:Port AccountName

Reference the knowledge based articles below for usage of LDP and Asiedit, plus more information around Event I.D. 11

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

http://support.microsoft.com/kb/224543

http://support.microsoft.com/kb/260745

 

 

Comments (5)

  1. Kevin Anderson says:

    This is a perfect example of an issue I have, except that when I run ldifde -f domain.txt -d “dc=domain,dc=com” (with appropriate dc alterations), the results file (domain.txt) is empty.

    ummm…

    Any pointers?

  2. Konkon says:

    Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts.
    http://www.healthforus.info

  3. Jimi says:

    If the document returns empty…make sure you have permissions….fixed it for me

  4. weerwewrwr says:

    https://www.linkedin.com/grp/post/6981021-6017297880677638145
    https://www.linkedin.com/grp/post/8295703-5998360912258494467
    https://www.facebook.com/WatchStraightOuttaComptonOnline
    https://www.rebelmouse.com/WatchTheGiftOnline/
    https://www.facebook.com/WatchInsideOutOnline
    https://www.linkedin.com/grp/post/6980115-6017735463568158724
    https://www.facebook.com/WatchMastermindsOnline
    https://www.linkedin.com/grp/post/6980115-6017737638633549828
    https://www.linkedin.com/grp/post/6973703-6017389460872769538
    https://www.facebook.com/WatchTheTransporterRefueledOnline
    https://www.facebook.com/WatchDarkPlacesOnline
    https://www.rebelmouse.com/WatchFantasticFourOnline/
    https://www.rebelmouse.com/WatchAmericanUltraOnline/
    https://www.facebook.com/WatchAntmanOnlineNow
    https://www.facebook.com/WatchAmyOnline
    https://www.rebelmouse.com/WatchJaneGotaGunOnline/
    https://www.facebook.com/WatchMaxOnline
    https://www.linkedin.com/grp/post/6981021-6017330014037491716
    https://www.facebook.com/WatchWarRoomOnline
    https://www.linkedin.com/grp/post/6980115-6017737638633549828
    https://www.rebelmouse.com/WatchRickiAndTheFlashOnline/
    https://www.rebelmouse.com/MissionImpossible5RogueNation/
    https://www.rebelmouse.com/WatchRegressionOnline/
    https://www.facebook.com/WatchTheVisitOnline
    https://www.facebook.com/WatchTheTransporterRefueledOnline
    https://www.facebook.com/WatchHitmanAgent47Online
    https://www.rebelmouse.com/WatchTheGiftOnline/
    https://www.rebelmouse.com/WatchStraightOuttaCompton/
    https://www.rebelmouse.com/WatchInsideOutOnline/
    https://www.linkedin.com/grp/post/6973703-6017397215125852162
    https://www.linkedin.com/grp/post/6971553-6011496519566376963
    https://www.rebelmouse.com/WatchPaperTownsOnline/
    https://www.facebook.com/WatchTheGallowsOnline
    https://www.facebook.com/WatchMastermindsOnline
    https://www.linkedin.com/grp/post/6975089-6015034074878468096
    https://www.facebook.com/WatchTheGiftOnline
    https://www.rebelmouse.com/WatchKitchenSinkOnline/
    https://www.linkedin.com/grp/post/6980115-6017733578547290113
    https://www.rebelmouse.com/WatchHitmanAgent47Online/
    https://www.linkedin.com/grp/post/6975089-6015036398715822084
    https://www.rebelmouse.com/WatchMinionsOnline/
    https://www.rebelmouse.com/WatchAmyOnline/
    https://www.linkedin.com/grp/post/6981021-6017300035971067904
    https://www.rebelmouse.com/WatchSinister2Online/
    https://www.rebelmouse.com/WatchBlackMassOnline/
    https://www.facebook.com/WatchPaperTownsOnline
    https://www.linkedin.com/grp/post/6975089-6015035803892207618
    https://www.rebelmouse.com/WatchMaxOnline/
    https://www.linkedin.com/grp/post/6975089-6015035619363807236
    https://www.rebelmouse.com/WatchTransporterRefueledOnline/