Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
3180
Views
0
Helpful
0
Comments

There are multiple errors on the Domain Controller that complain about the primary Cisco Unity Server 4.x. The error message appears

TCC_2
Level 10
Level 10

‎06-22-2009 04:39 PM - edited ‎03-12-2019 08:44 AM

Core Issue

There are multiple errors on the Domain Controller that complain about the primary Cisco Unity Server 4.x. The "Event ID: 11, Source: KDC, There are multiple accounts with name MSSQLSvc/UNITY1.Davison.local:1433 of type DS_SERVICE_PRINCIPAL_NAME." error message appears.

This is the error in the Application event log:

Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Date: 10/11/2006
Time: 3:06:01 PM
User: N/A
Computer: AVICENNA
Description:
There are multiple accounts with name MSSQLSvc/UNITY1.Davison.local:1433 of type DS_SERVICE_PRINCIPAL_NAME.

Resolution

In order to resolve this issue, delete the record of which the KDC service complains. Use ASIEDIT in order to delete the offending systems.

This is the detailed procedure:

In order to enable the service to authenticate properly, you need to make sure that the service has only one SPN. In order to do this, first find which accounts have the duplicate SPNs and then delete one of them. The easiest way to determine which account the ServiceClass SPN should be registered under is to identify the service account under which the service starts. For example, if the service class and hostname is MSSQLSvc/hostname.domain.com, then logon to hostname.domain.com and verify which account SQL Server services uses to start with, and this is the account to which the SPN should be registered.

In order to generate a list of accounts that the SPNs are registered to, run the this command at the command prompt.

From the domain controller, open a command prompt and then type this string:

ldifde -f domain.txt -d "dc=domain,dc=com"

Open the text file in Notepad and then search for the SPN that is reported in the event log.

ServiceClass/host.domain.com

Note where the user accounts under which the SPN is located and in which the organizational unit the accounts resides.  The userPrincipalName should be located directly above the servicePrincipalName registration as in the this example.

userPrincipalName: useraccount@domain.com
servicePrincipalName: ServiceClass/host.domain.com

Use one of these options in order to delete the account SPN registrations from the accounts that should not contain registrations to ServiceClass/host.domain.com, for example, any accounts that contain an SPN registration for SeriviceClass/host.domain.com with which services do not explicitly start.

ADSIEdit

Add ADSIEdit to the MMC and bind to the domain with the use of the Domain well known naming context.

Navigate to each user account you previously documented that has a duplicate SPN registration and right-click the account and choose Properties.

Scroll through the list of attributes until servicePrincipalName appears. Double-click servicePrincipalName and remove the duplicate SPN registration.  Choose OK and exit ADSIEdit.

SetSPN

From the command prompt, type this command andchoose Enter.
setspn -D ServiceClass/host.domain.com:Port AccountName

Refer to Event ID 11 in the System log of domain controllers for more information.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents