KDC Errors on Domain Controllers
As I am getting the below error in my domain controllers
KDC Event ID:11
There are multiple accounts with name MSSQLSvc/SHAREDVSQL.domain.com:1433 of type DS_SERVICE_PRINCIPAL_NAME
Where
sharedvsql.domain.com is the Virtual name of SQL Cluster
After it I used the following method to find the duplicity of SPNs
Windows 2003 ADU&C, create a query, custom LDAP, and enter the following:
servicePrincipalName=MSSQLSvc/sharedvsql.domain.com:1433
And I got only one object
Sqldbcluster which contains this SPN (MSSQLSvc/SHAREDVSQL.domain.com:1433)
We used 2 accounts for the Clustering
1.
Sqlservices is the account which is being used in SQL and SQL Agent Service
2.
Sqldbcluster is the account which is being used in Cluster Service
Our cluster name is Sqldbcluster.domain.com
Side by side the below error is coming in the SQL Server
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 4/10/2011
Time: 12:00:00 AM
User: N/A
Computer: SQLServer
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/SQLServer.domain.com.
The target name used was MSSQLSvc/SHAREDVSQL.domain.com:1433. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the
target realm (domain.com), and the client realm.
Please contact your system administrator.
I am confused that if I am getting only one account for this specified SPN MSSQLSvc/sharedvsql.domain.com:1433 then why the above error is coming in domain controllersSagar
April 11th, 2011 4:28am
KDC EventID 11 resolution.
Thanks
Free Windows Admin Tool Kit Click here and download it now
April 11th, 2011 4:50am
Hello,
try the mentioned Microsoft resolutions to solve the duplicate SPN problem:
http://technet.microsoft.com/fr-fr/library/cc733945(v=WS.10).aspx
http://support.microsoft.com/kb/321044
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft
Student Partner
Microsoft
Certified Professional
Microsoft Certified Systems Administrator: Security
Microsoft Certified Systems Engineer: Security
Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
April 11th, 2011 4:51am
Dear i have already done this activity and found the answer which i mentioned in my problemSagar
Free Windows Admin Tool Kit Click here and download it now
April 11th, 2011 5:57am
Dear Yousuf,
i have done this activity as per your iven link but the problem is not relolvedSagar
April 14th, 2011 7:13am
Did you try all the methods. If possible can you share full results with us.
Thanks
Free Windows Admin Tool Kit Click here and download it now
April 14th, 2011 8:16am
Hi,
We did the below activity and problem has been resolved
As we checked with adsiedit.msc and found that the Sqlcluster account
had SPN MSSQLsvc/sharedvsql.domain.com:1433 .If SPN is registered with the wrong account(Sqlcluster account) then also this error comes, in our scene This SPN should be in the
Sqlservice account so we assigned R/W SPN rights to Sqlservice account using Adsiedit and logged in with
Sqlservice account in the sql server and found the same SPN now registered with this account.Now we have 2 accounts with same SPN then we removed the SPN from
Sqlcluster account. Now only one account Sqlservice has this SPN and our problem has been resolved.
ThanksSagar
May 4th, 2011 6:30am