Core Issue
There are multiple errors on the Domain Controller that complain about the primary Cisco Unity Server 4.x. The "Event ID: 11, Source: KDC, There are multiple accounts with name MSSQLSvc/UNITY1.Davison.local:1433 of type DS_SERVICE_PRINCIPAL_NAME." error message appears.
This is the error in the Application event log:
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Date: 10/11/2006
Time: 3:06:01 PM
User: N/A
Computer: AVICENNA
Description:
There are multiple accounts with name MSSQLSvc/UNITY1.Davison.local:1433 of type DS_SERVICE_PRINCIPAL_NAME.
Resolution
In order to resolve this issue, delete the record of which the KDC service complains. Use ASIEDIT in order to delete the offending systems.
This is the detailed procedure:
In order to enable the service to authenticate properly, you need to make sure that the service has only one SPN. In order to do this, first find which accounts have the duplicate SPNs and then delete one of them. The easiest way to determine which account the ServiceClass SPN should be registered under is to identify the service account under which the service starts. For example, if the service class and hostname is MSSQLSvc/hostname.domain.com, then logon to hostname.domain.com and verify which account SQL Server services uses to start with, and this is the account to which the SPN should be registered.
In order to generate a list of accounts that the SPNs are registered to, run the this command at the command prompt.
From the domain controller, open a command prompt and then type this string:
ldifde -f domain.txt -d "dc=domain,dc=com"
Open the text file in Notepad and then search for the SPN that is reported in the event log.
ServiceClass/host.domain.com
Note where the user accounts under which the SPN is located and in which the organizational unit the accounts resides. The userPrincipalName should be located directly above the servicePrincipalName registration as in the this example.
userPrincipalName: useraccount@domain.com
servicePrincipalName: ServiceClass/host.domain.com
Use one of these options in order to delete the account SPN registrations from the accounts that should not contain registrations to ServiceClass/host.domain.com, for example, any accounts that contain an SPN registration for SeriviceClass/host.domain.com with which services do not explicitly start.
ADSIEdit
Add ADSIEdit to the MMC and bind to the domain with the use of the Domain well known naming context.
Navigate to each user account you previously documented that has a duplicate SPN registration and right-click the account and choose Properties.
Scroll through the list of attributes until servicePrincipalName appears. Double-click servicePrincipalName and remove the duplicate SPN registration. Choose OK and exit ADSIEdit.
SetSPN
From the command prompt, type this command andchoose Enter.
setspn -D ServiceClass/host.domain.com:Port AccountName
Refer to Event ID 11 in the System log of domain controllers for more information.