kdc 11, but microsoft's fix isn't working..

[Guest]

First off, I've tried searching for the duplicate spn with no luck, as per:

http://support.microsoft.com/?id=321044


Here is the event log:

----
There are multiple accounts with name HTTP/crm01 of type
DS_SERVICE_PRINCIPAL_NAME.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
----

Here is the ldifde for that server:

---
operatingSystem: Windows Server 2003
operatingSystemVersion: 5.2 (3790)
operatingSystemServicePack: Service Pack 1
dNSHostName: CRM01.eLiberation.com
servicePrincipalName: MSSQLSvc/CRM01.eLiberation.com:1433
servicePrincipalName: SMTPSVC/CRM01
servicePrincipalName: SMTPSVC/CRM01.eLiberation.com
servicePrincipalName: HOST/CRM01
servicePrincipalName: HOST/CRM01.eLiberation.com
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=eLiberation,DC=com
---


I don't see any HTTP SPNs in the entire file...any ideas?

Thanks!

Phil

 

[Glenn LeCheminant]

Phil,

You need to do an ldifde dump of your entire directory.
LDIFDE -f dump.txt -s nameofgcserver -t 3268 -d dc=forestname,dc=root -l
serviceprinciplename.

I have seen the event log report HTTP SPN, when the real duplicate was on
HOST
Search the dump file for crm01

You will likely find dups for one or both of these HOST SPNs.
HOST/CRM01
HOST/CRM01.eLiberation.com

 

[Guest]

Thanks for your updated syntax. I found that another domain in the forest
had a disabled CRM01 computer account, but still had SPNs which would
conflict with HOST/crm01

That should remove the error message.

Thanks.