Event ID 11 on DC

F

Fred

Hi guys,

Hope you can help. We have 2 DCs on our Domain, both W2k. Both run Global
Catalog, other FSMO roles shared between them. First DC has multiple Event
11 (KDC) errors in the System log.

Error states:
There are multiple accounts with name host/web.Domain.com of type 10.

I have looked into this and followed the instructions within KB305971. I
set the filter to search the subtree scope for:
serviceprincipalname=host/web.domain.com

and get back the following results:

***Searching...
ldap_search_s(ld, "DC=Domain, DC=com", 2,
"serviceprincipalname=host/WEB.Domain.COM", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 2 entries:1> canonicalName: Domain.com/All Computers/W2k3 Servers/WEB;
1> cn: WEB;
1> distinguishedName: CN=WEB,OU=W2k3 Servers,OU=All
Computers,DC=Domain,DC=com;
5> objectClass: top; person; organizationalPerson; user; computer;
1> name: WEB;1> canonicalName: Domain.com/Users/crmadmin crmadmin;
1> cn: crmadmin crmadmin;
1> distinguishedName: CN=crmadmin crmadmin,CN=Users,DC=Domain,DC=com;
4> objectClass: top; person; organizationalPerson; user;
1> name: crmadmin crmadmin;

KB305971 says to use ADSIEDIT to locate the Duplicate SPN and remove it.

Can anyone provide instructions on how to remove the SPN. I am unsure where
and what to look for, and would rather not knacker the AD (Great Plan!!) I
can then perform the final step on KB305971 and remove the Server from the
Domain and re-add it.

Thanks in advance

Fred
 
G

Glenn L

easy
You browse to the object you want to remove the SPN from.
Go to the properties of the object.
scroll through the list until you get to serviceprinciplename
You will see a list of them including the offending one.
Highlight the offending one and remove it.
Apply your changes and your done.

The question you need to ask yourself is which one do you delete? The one
for crmadmin or the one for web?

I'm guessing WEB is a web server.
When IIS 6 is in its default configuration, the default application pool
runs under the local system account. This means that a host SPN must be
registered under the computer account object.
You can change the configuration to have the application pool run under a
user account context. This requires the host SPN to be registered under the
user account object.
So you need to find out whether your application pool is configured to use
the local system or a domain account. Then you will know which SPN to
delete.
 
C

Chriss3 [MVP]

Locate the object with ADSIEdit, Right click and click properties.
Select the ServicePrinicpalName Attribute in the list and edit, its a
multivalued attribute so it may contains several names.
Remove host/web.domain.com

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
 
F

Fred

Hi Glen,

Thanks very much for your reply. You are quite correct, Web is an IIS6
machine used for MS CRM and BusinessPortal. I should say I'm not the worlds
expert on ISS app pools!

In AdsiEdit, I have located the Host/Web.Domain.com for both cn=CRMadmin and
cn=Web. Both list Host/Web.Domain.com under ServicePrincipalName, so that
is half the battle.

However, In ISM, we have 4 Application Pools. One for CRM uses LocalSystem
on its Properties Identity Tab
Predefines list, the others (DefaultAppPool, STSAdminAppPool and STSAppPool)
all have NetworkService selected for this property. Which is clear as mud.
Can you advise on which SPN i should delete?

***Searching...
ldap_search_s(ld, "DC=Domain, DC=com", 2,
"serviceprincipalname=host/WEB.Domain.COM", attrList, 0, &msg)
Result <0: (null)
Matched DNs:
Getting 2 entries:
Dn: CN=WEB,OU=W2k3 Servers,OU=All Computers,DC=Domain,DC=com
1 canonicalName: Domain.com/All Computers/W2k3 Servers/WEB;
1 cn: WEB;
1 distinguishedName: CN=WEB,OU=W2k3 Servers,OU=All
Computers,DC=Domain,DC=com;
5 objectClass: top; person; organizationalPerson; user; computer;
1 name: WEB;
Dn: CN=crmadmin crmadmin,CN=Users,DC=Domain,DC=com
1 canonicalName: Domain.com/Users/crmadmin crmadmin;
1 cn: crmadmin crmadmin;
1 distinguishedName: CN=crmadmin crmadmin,CN=Users,DC=Domain,DC=com;
4 objectClass: top; person; organizationalPerson; user;
1 name: crmadmin crmadmin;



As you can probably Gather, WEB is the Server, CRMAdmin is a user. I'm
leaning towards deleting the crmadmin SPN, would this be correct. Also the
SPN lists both



HOST/WEB and

host/WEB.Domain.COM



Do I need to delete both entries under SPN - I assume I do????



Many Thnaks,



Regards,



Fred
 
G

Glenn L

Local system and network service will both register a SPN under the machine
account in AD.
So it looks like you have your offending object.
CRMADMIN SPN is bad and should be removed.
 
F

Fred

Hi Glen,

Thanks very much for the info and the help. Much appreciated. I have removed
SPN from CRMAdmin and it appears to have done the trick

Many Thanks

Regards,

Fred
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event 11 1
KDC error -- dublicte serviceprincipalname 5
Multiple accounts with the name MSSQLSvc... 2
Slow Logons and Can't open files 0
Unable to local DC ......... URGENT 1
Restore Deleted OU and child objects 3
remove sub-domain on root domain 2
kdc 11, but microsoft's fix isn't working.. 2

Top