KDC Event I.D. 11
I was recently working on a customer site and notice in a significant number of System Event logs displayed the following error message.
There are multiple accounts with name MSSQLSvc/ABCServer.contoso.com:1433 of type DS_SERVICE_PRINCIPAL_NAME.
If you get the following message appearing in your System Event Log or something very similiar it needs to be dealt with.
What does it mean and what are the consequences ?
This error can be caused when the Service Principal Name (SPN) has been registered incorrectly for a service running on a server. Each service that uses Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. The SPN is registered in Active Directory under a user account as an attribute of the user account called a ServicePrincipalName
Multiple SPNs can cause clients to connect to the wrong system or the ticket may be encrypted with the wrong key. To remediate this the following steps should be undertaken. The aim of these steps is to locate the accounts which have duplicate SPNs, and then delete the one which has been verified by the Active Directory Support team as incorrect.
How can it be resolved?
To resolve this the following steps are required to be carried out;
1. From the domain controller, open a command prompt and then type the following string:
ldifde -f domain.txt -d “dc=domain,dc=com”
2. Open the text file in Notepad and then search for the SPN that is reported in the event log.
ServiceClass/host.domain.com
3. Note the user accounts under which the SPN is located and the organizational unit the accounts reside in….the userPrincipalName should be located directly above the servicePrincipalName registration as in the example below.
userPrincipalName: useraccount@domain.com
servicePrincipalName: ServiceClass/host.domain.com
Then once the above has been located carry out the following steps;
Either use ADsiedit or Setspn
Using ADSIEdit
1. Add ADSIEdit to the MMC and bind to the domain using the Domain well known naming context.
2. Navigate to each user account you previously documented as having a duplicate SPN registration and right click the account and select properties.
3. Scroll through the list of attributes until you see servicePrincipalName, double click servicePrincipalName and remove the duplicate SPN registration and click on OK and exit ADSIEdit.
Using SetSPN
1. From the command prompt type the following command and hit enter.
setspn -D ServiceClass/host.domain.com:Port AccountName
Reference the knowledge based articles below for usage of LDP and Asiedit, plus more information around Event I.D. 11
https://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx