Hi all ! I got on a DC - Windows 2008 R2 Version 6.1 (Build 7601: Service Pack 1 the following error message: Log Name: System Source: Microsoft-Windows-Kerberos-Key-Distribution-Center Date: 4/26/2012 6:27:23 PM Event ID: 11 Task Category: None Level: Error Keywords: Classic User: N/A Computer: srvdc.domainck.YY.dd Description: The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSrv/srv01.domainck.YY.dd:1433 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for MSSQLSrv/srv01.domainck.YY.dd:1433 in Active Directory. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" /> <EventID Qualifiers="49152">11</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2012-04-26T16:27:23.000000000Z" /> <EventRecordID>24401</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>srvdc.domainck.YY.dd</Computer> <Security /> </System> <EventData> <Data Name="Name">MSSQLSrv/srv01.domainck.YY.dd:1433</Data> <Data Name="Type">DS_SERVICE_PRINCIPAL_NAME</Data> <Binary> </Binary> </EventData> </Event> On srv01.domainck.YY.dd:1433 when I do the setspn -X I get : Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Users\user1>setspn -X Checking domain DC=domainck,DC=YY,DC=dd Processing entry 4 MSSQL/srv01.domainck.YY.dd:1433 is registered on these accounts: CN=srv02,OU=Corp Servers,DC=domainck,DC=YY,DC=dd CN=srv01,OU=Corp Servers,DC=domainck,DC=YY,DC=dd {14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/backup is registered on these accounts: CN=backup,OU=Corp Servers,DC=domainck,DC=yy,DC=dd CN=Administrator,CN=Users,DC=domainck,DC=YY,DC=dd {14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/backup.domainck.YY.dd is registered on these accounts: CN=backup,OU=Corp Servers,DC=domainck,DC=YY,DC=dd CN=Administrator,CN=Users,DC=domainck,DC=YY,DC=dd MSSQLSrv/srv01:1433 is registered on these accounts: CN=srv02,OU=Corp Servers,DC=domainck,DC=YY,DC=dd CN=srv01,OU=Corp Servers,DC=domainck,DC=YY,DC=dd found 4 groups of duplicate SPNs. - How to know what SPNs can I safely delete? - What is the impact of not deleting the duplicated sPNs ? - How to reverse the delete of duplicated SPNs? - How to know the clean was successful without damage ?

setspn -L srv01 This should list all registered Service Principal Names for srv01 Delete duplicate SPN's using this command- setspn -d MSSQLSrv/srv01.domainck.YY.dd:1433 Also refer - http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx Sachin Gadhave (MCP, MCTS)

similar thread found here http://social.technet.microsoft.com/Forums/en/identitylifecyclemanager/thread/542f3b30-41f6-4299-b373-5b1f3dc16269http://www.arabitpro.com

Hi, In addition to the above troubleshooting suggestions, please also refer to the following Microsoft TechNet blogs for further troubleshooting information: qUICKLY Explained: Service Principal Name: Registration, Duplication http://blogs.technet.com/b/qzaidi/archive/2010/10/12/quickly-explained-service-principal-name-registration-duplication.aspx Kerberos Authentication problems Service Principal Name (SPN) issues - Part 1 http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx Kerberos Authentication problems Service Principal Name (SPN) issues - Part 2 http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2.aspx Kerberos Authentication problems Service Principal Name (SPN) issues - Part 3 http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-3.aspx Regards,Arthur Li TechNet Community Support

Hi, In addition to the above troubleshooting suggestions, please also refer to the following Microsoft TechNet blogs for further troubleshooting information: qUICKLY Explained: Service Principal Name: Registration, Duplication http://blogs.technet.com/b/qzaidi/archive/2010/10/12/quickly-explained-service-principal-name-registration-duplication.aspx Kerberos Authentication problems Service Principal Name (SPN) issues - Part 1 http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx Kerberos Authentication problems Service Principal Name (SPN) issues - Part 2 http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2.aspx Kerberos Authentication problems Service Principal Name (SPN) issues - Part 3 http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-3.aspx Regards,Arthur Li TechNet Community Support

Hi the bigest problem that i had was finding what the duplicate SPN were tied too 'account, machine name ???'. found the best command to display this is setspn -X adleast that gives you some were to start looking.