2012R2 DC - AD LDS Service Principal Names - Duplicates
Hello
After installing the first domain controller with 2012R2, we see the following error in the directory service log on the new 2102R2 domain controller:
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP12345:50000
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP12345:50000
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL
CN=APP12345,OU=App1,OU=Servers,DC=DOMAIN12345,DC=LOCAL Winerror: 8647
See http://go.microsoft.com/fwlink/?LinkID=279782 for more details on this policy.
it seems to be related to the SPN for: AD LDS
http://technet.microsoft.com/pt-br/subscriptions/cc816802
http://technet.microsoft.com/en-us/library/dn535779.aspx
The error only occure for member servers where AD LDS are installed. (application dependency)
replication status is ok.
Any ideas on how this error should be handled/corrected?
Erlend
ok, how would you interpret this?
this is just a few of the events, domain and username have been modified.
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 14.08.2014 21:34:57
Event ID: 2974
Task Category: Global Catalog
Level: Error
Keywords: Classic
User: DOMAIN\72933a1234
Computer: DC2.DOMAIN.LOCAL
Description:
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP72933:50000
CN=APP72933,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP72933:50000
CN=APP72933,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP72933,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP72933,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL Winerror: 8647
See http://go.microsoft.com/fwlink/?LinkID=279782 for more details on this policy.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="49152">2974</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2014-08-14T19:34:57.364335500Z" />
<EventRecordID>400</EventRecordID>
<Correlation />
<Execution ProcessID="608" ThreadID="2276" />
<Channel>Directory Service</Channel>
<Computer>DC2.DOMAIN.LOCAL</Computer>
<Security UserID="S-1-5-21-329068152-484763869-839522115-16499" />
</System>
<EventData>
<Data>servicePrincipalName</Data>
<Data>Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP72933:50000
CN=APP72933,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP72933:50000
CN=APP72933,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP72933,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP72933,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL</Data>
<Data>8647</Data>
</EventData>
</Event>
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 14.08.2014 21:28:38
Event ID: 2974
Task Category: Global Catalog
Level: Error
Keywords: Classic
User: DOMAIN\71520a1234
Computer: DC2.DOMAIN.LOCAL
Description:
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP71520:50000
CN=APP71520,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP71520:50000
CN=APP71520,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP71520,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP71520,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL Winerror: 8647
See http://go.microsoft.com/fwlink/?LinkID=279782 for more details on this policy.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="49152">2974</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2014-08-14T19:28:38.889497700Z" />
<EventRecordID>399</EventRecordID>
<Correlation />
<Execution ProcessID="608" ThreadID="6792" />
<Channel>Directory Service</Channel>
<Computer>DC2.DOMAIN.LOCAL</Computer>
<Security UserID="S-1-5-21-329068152-484763869-839522115-20445" />
</System>
<EventData>
<Data>servicePrincipalName</Data>
<Data>Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP71520:50000
CN=APP71520,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP71520:50000
CN=APP71520,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP71520,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP71520,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL</Data>
<Data>8647</Data>
</EventData>
</Event>
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 14.08.2014 21:24:56
Event ID: 2974
Task Category: Global Catalog
Level: Error
Keywords: Classic
User: DOMAIN\73843a1234
Computer: DC2.DOMAIN.LOCAL
Description:
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP73843:50000
CN=APP73843,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP73843:50000
CN=APP73843,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP73843,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP73843,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL Winerror: 8647
See http://go.microsoft.com/fwlink/?LinkID=279782 for more details on this policy.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="49152">2974</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2014-08-14T19:24:56.574149300Z" />
<EventRecordID>398</EventRecordID>
<Correlation />
<Execution ProcessID="608" ThreadID="4564" />
<Channel>Directory Service</Channel>
<Computer>DC2.DOMAIN.LOCAL</Computer>
<Security UserID="S-1-5-21-329068152-484763869-839522115-20469" />
</System>
<EventData>
<Data>servicePrincipalName</Data>
<Data>Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP73843:50000
CN=APP73843,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP73843:50000
CN=APP73843,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP73843,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP73843,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL</Data>
<Data>8647</Data>
</EventData>
</Event>
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 14.08.2014 21:18:14
Event ID: 2974
Task Category: Global Catalog
Level: Error
Keywords: Classic
User: DOMAIN\29648a1234
Computer: DC2.DOMAIN.LOCAL
Description:
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP29648:50000
CN=APP29648,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP29648:50000
CN=APP29648,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP29648,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP29648,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL Winerror: 8647
See http://go.microsoft.com/fwlink/?LinkID=279782 for more details on this policy.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="49152">2974</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2014-08-14T19:18:14.332922200Z" />
<EventRecordID>397</EventRecordID>
<Correlation />
<Execution ProcessID="608" ThreadID="4164" />
<Channel>Directory Service</Channel>
<Computer>DC2.DOMAIN.LOCAL</Computer>
<Security UserID="S-1-5-21-329068152-484763869-839522115-17716" />
</System>
<EventData>
<Data>servicePrincipalName</Data>
<Data>Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP29648:50000
CN=APP29648,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP29648:50000
CN=APP29648,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP29648,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP29648,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL</Data>
<Data>8647</Data>
</EventData>
</Event>
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 14.08.2014 21:03:07
Event ID: 2974
Task Category: Global Catalog
Level: Error
Keywords: Classic
User: DOMAIN\22659a1234
Computer: DC2.DOMAIN.LOCAL
Description:
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP22659:50000
CN=APP22659,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP22659:50000
CN=APP22659,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP22659,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP22659,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL Winerror: 8647
See http://go.microsoft.com/fwlink/?LinkID=279782 for more details on this policy.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="49152">2974</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2014-08-14T19:03:07.894010100Z" />
<EventRecordID>396</EventRecordID>
<Correlation />
<Execution ProcessID="608" ThreadID="7072" />
<Channel>Directory Service</Channel>
<Computer>DC2.DOMAIN.LOCAL</Computer>
<Security UserID="S-1-5-21-329068152-484763869-839522115-17717" />
</System>
<EventData>
<Data>servicePrincipalName</Data>
<Data>Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP22659:50000
CN=APP22659,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP22659:50000
CN=APP22659,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP22659,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP22659,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL</Data>
<Data>8647</Data>
</EventData>
</Event>
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Date: 14.08.2014 20:44:33
Event ID: 2974
Task Category: Global Catalog
Level: Error
Keywords: Classic
User: DOMAIN\29615a1234
Computer: DC2.DOMAIN.LOCAL
Description:
The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP29615R2:50000
CN=APP29615R2,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP29615R2:50000
CN=APP29615R2,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP29615R2,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP29615R2,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL Winerror: 8647
See http://go.microsoft.com/fwlink/?LinkID=279782 for more details on this policy.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS General" />
<EventID Qualifiers="49152">2974</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>18</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2014-08-14T18:44:33.662067700Z" />
<EventRecordID>395</EventRecordID>
<Correlation />
<Execution ProcessID="608" ThreadID="6388" />
<Channel>Directory Service</Channel>
<Computer>DC2.DOMAIN.LOCAL</Computer>
<Security UserID="S-1-5-21-329068152-484763869-839522115-3553" />
</System>
<EventData>
<Data>servicePrincipalName</Data>
<Data>Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP29615R2:50000
CN=APP29615R2,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
Value=E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/APP29615R2:50000
CN=APP29615R2,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP29615R2,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL
CN=APP29615R2,OU=Application,OU=Servers,DC=DOMAIN,DC=LOCAL</Data>
<Data>8647</Data>
</EventData>
</Event>
example of spn for one server:
any ideas?
Similar Messages
-
We are getting this below alert message, while using SCOM 2012 R2. Anybody have any idea how to resolve this on the SQL box ?
Thx...
SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated.
Service Account: NT Service\MSSQL$SQLEXPRESS
Missing SPNs:
Misplaced SPNs: MSSQLSvc/mysqlbox.com:SQLEXPRESS - sqldbadmin
Duplicate SPNs:To Fix this issue, You can check below links
http://support.microsoft.com/kb/2443457/EN-US
http://www.scomgod.com/?p=155
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"Mai Ali | My blog:
Technical | Twitter:
Mai Ali -
On all of my SQL Server instances, I can find SQL server error logs that have the same 3 entries below, so while I already know it can, I need a Microsoft document that says "sqlservr.exe" can so I can convince the network guys to grant the service
account for SQL "Write servicePrincipalName: Allow" in AD.
63 2014-06-26 20:24:02.980 Server The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/DFW-MSSQLDW.PathologyPartners.intranet:1433
] for the SQL Server service. Windows return code: 0x2098, state: 20. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication
is required by authentication policies and if the SPN has not been manually registered.
61 2014-06-26 20:24:02.970 Server The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/DFW-MSSQLDW.PathologyPartners.intranet:DW
] for the SQL Server service. Windows return code: 0x2098, state: 20. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication
is required by authentication policies and if the SPN has not been manually registered.
38 2014-06-26 20:24:02.840 Server SQL Server is attempting to register a Service Principal Name (SPN) for the SQL Server service. Kerberos authentication will not
be possible until a SPN is registered for the SQL Server service. This is an informational message. No user action is required.
Duane LawrenceRefer the below article
http://blogs.msdn.com/b/psssql/archive/2010/03/09/what-spn-do-i-use-and-how-does-it-get-there.aspx
Automatic SPN Registration
When an instance of the SQL Server Database Engine starts, SQL Server tries to register the SPN for the SQL Server service. When the instance is stopped, SQL Server tries to unregister the SPN. For a TCP/IP connection the SPN is registered in the format MSSQLSvc/<FQDN>:<tcpport>.Both
named instances and the default instance are registered as MSSQLSvc, relying on the <tcpport> value to differentiate the instances.
--Prashanth -
Service principal names of user are not unique; check the active directory
Hello Experts,
My company had set up this service principal account to use with Kerberos and I am trying to configure the authentication template using SPNEGO wizzard. The format of the service account is not the same as SAP recommened (J2EE-SID-DOMAIN) but something like abc_de_portal. After trying to use that account with the wizzard I am getting this error "Service principal names of user abc_de_portal are not unique; check the active directory configuration." I am not sure what else in the AD attributes is causing the problem. Please let me know if you have ran into similar issue and how did you corrected. Points will be rewarded of course.
Thank you so much for any help that I can get.Hello Duy,
SPN of the service user for kerberos has to be unique as you would have made out from the message . There seems to be
someother user having the SPN as yours.
You would have to find the other AD user with the same SPN as yours and then de register that with
setspn u2013d <SPN> Username
Then this error should not come up after that .
There was a tool called Ldifde which you can use for this. We have our AD team do this for us. Would be better if you ask them to carry this out.
Rgds -
Service principal names of user j2ee- SID are not unique
Hi everyone,
I am trying to configure the SPNego, following the guide below Configuring and troubleshooting SPNego -- Part 1
but I'm getting an error that I have not been solved
then pictures of the developments so far:
[step 1|http://imageshack.us/photo/my-images/807/59238690.jpg/]
[Step 2|http://imageshack.us/photo/my-images/804/55731867.jpg/]
[Step 3|http://imageshack.us/photo/my-images/27/73007146.jpg/]
Test following and has not worked
http://help.sap.com/saphelp_em70/helpdata/en/45/59b55b943909cae10000000a114a6b/content.htm
thanks
ManuelHi, Manuel!
Check these threads for solution:
Service principal names of user are not unique; check the active directory
Service Principal Names of Users j2ee-MDS-tcsm3 not in unique-Check ADC
Regards, Mikhail. -
Is a service principal name (SPN) bound to a specific machine?
At the moment I am getting a KrbException: Integrity check on decrypted field failed (31) with my GSS demo application (on the server side). Now I am looking for the reason for this. I have the suspicion, that it comes from the fact that
1. the client and the server application run on the same machine (localhost) and/or
2. the SPN was generated for another machine (computer)
The second means that the service principal was generated for a machine xxx0815.domain.net, so the SPN is HTTP/[email protected]. And my machine is not that one, but I have got the keytab file so that the server's login method succeeds.
Do I suspect correctly or am I making another mistake?
Server configuration and source code:
server.conf
Server {
com.sun.security.auth.module.Krb5LoginModule
required
isInitiator=false
doNotPrompt=true
useKeyTab=true
keyTab="gssdemo.keytab"
storeKey=true
principal="HTTP/[email protected]"
debug=true;
};GSSServer.java (omitted the boilerplate stuff)
GSSManager manager = GSSManager.getInstance();
GSSName serverName = manager.createName(getServerName(), null);
GSSCredential serverCred = manager.createCredential(serverName,
GSSCredential.INDEFINITE_LIFETIME,
createKerberosOid(),
GSSCredential.ACCEPT_ONLY);
GSSContext context = manager.createContext(serverCred);
System.out.println("Context created successfully. Now incoming tokens could be accepted.");
ServerSocket serverSocket = new ServerSocket(55555);
SocketAdapter ca = new SocketAdapter(serverSocket.accept());
while (!context.isEstablished()) {
byte[] inToken = ca.readToken();
byte[] outToken = context.acceptSecContext(inToken, 0, inToken.length);
if (outToken != null) {
ca.sendToken(outToken);
System.out.println("Context established");
System.out.println("Connected user is: " + context.getSrcName());
context.dispose();Client configuration and source code:
client.conf
Client {
com.sun.security.auth.module.Krb5LoginModule
required
useTicketCache=true
debug=true;
};GssClient.java (boilerplate omitted)
GSSManager manager = GSSManager.getInstance();
GSSName clientName = manager.createName(getClientName(), null);
GSSCredential clientCred = manager.createCredential(clientName,
8 * 3600,
createKerberosOid(),
GSSCredential.INITIATE_ONLY);
GSSName serviceName = manager.createName("HTTP/[email protected]", null);
GSSContext context = manager.createContext(serviceName,
createKerberosOid(),
clientCred,
GSSContext.DEFAULT_LIFETIME);
context.requestMutualAuth(true);
context.requestConf(false);
context.requestInteg(true);
System.out.println("Establishing context");
SocketAdapter ca = new SocketAdapter(new Socket("localhost", 55555));
byte[] inToken = new byte[0];
while (true) {
byte[] outToken = context.initSecContext(inToken, 0, inToken.length);
if (outToken != null) {
ca.sendToken(outToken);
if (context.isEstablished()) {
break;
inToken = ca.readToken();
System.out.println("Context established: " + context.isEstablished());
context.dispose();I have checked the outgoing and incoming network data - it's the same on both sides so I can rule out a problem there.
The exception I get:
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at de.westlb.mrm.sandbox.gss.GssServer.acceptAndEstablish(GssServer.java:88)
at de.westlb.mrm.sandbox.gss.GssServer.run(GssServer.java:66)
... 4 more
Caused by: KrbException: Integrity check on decrypted field failed (31)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
... 8 more -
Target principal name is incorrect - cannot generate SSPI context
First off, yes, I've looked at numerous articles on this subject and haven't yet found someone with a similar situation and none of the resolutions I've found seem applicable.
My situation: Server 2008R2 Enterprise with SQL 2012 Standard. I have two instances running on this server, DEV and TEST. I do not have a default (unnamed) instance. This is one of the differences between my situation and every other
article I've looked at. I AM able to connect remotely to the DEV instance, but the TEST instance give me the SSPI error. To take it a step further, the SQL services aren't running under domain credentials; they're running under local credentials.
These two issues don't match anything I've found on the subject so far.
I ran "setspn -L" against the server's machine account (since the SQL services are local, not domain) and here's what I got:
MSSQLSvc/[server FQDN]:49592
MSSQLSvc/[server FQDN]:TEST
MSSQLSvc/[server FQDN]:49487
MSSQLSvc/[server FQDN]:DEV
WSMAN/[server]
WSMAN/[server FQDN]
TERMSERV/[server FQDN]
TERMSERV/[server]
RestrictedKrbHost/[server]
HOST/[server]
RestrictedKrbHost/[server FQDN]
HOST/[server FQDN]
The server is of course a domain member, and we only have a single domain, so there's no cross-domain/forest stuff going on.
Remotely, SA authentication works against both instances. Locally, both SA and Windows authentication work against both instances. Remotely, Windows authentication works against the DEV instance, but not against the TEST instance, returning the
error "The target principal name is incorrect. Cannot generate SSPI context."
Both database have identical settings in the SQL Config Mgr (Shared Memory and TCP/IP enabled). Both instances are set to allow remote logon.
The security for the various services:
SQL Server (DEV) = NT Service\MSSQL$DEV
SQL Server (TEST) = NT Service\MSSQL$TEST
SQL Server Agent (DEV) = NT Service\SQLAgent$DEV
SQL Server Agent (TEST) = NT Service\SQLAgent$TEST
SQL Server Browser = Local Service
On both instances, the query "exec xp_readerrorlog 0,1,'could not register the Service Principal Name',Null" comes back with two entries from when the system was installed, saying it was unable to register the SPN. That makes sense, because
SQL isn't running with domain credentials, although the SPNs ARE apparently in AD (see above).
On both instances, the query "select net_transport, auth_scheme from sys.dm_exec_connections where session_id=@@spid" returns the same thing - "shared memory", "NTLM". Basically, I can find no configuration difference
between the two instances.
Anyone got any ideas?Hi Todd,
According to your description, we need to make sure the typed server name is right, and verify if your windows account is valid when you connect to the test instance remotely by using Windows authentication. You can refer to the following steps for checking
the login name.
1.Log in the test instance remotely by using sa authentication.
2. Enter the security and check if the windows account is valid.
In addition, there is more details about how to troubleshoot the "Cannot generate SSPI context" error message, you can review the article.
http://support.microsoft.com/kb/811889
Thanks,
Sofiya Li
If you have any feedback on our support, please click here.
Sofiya Li
TechNet Community Support -
Hi Experts,
We had a task to migrate SQL Server all the components to another server, the migration went well and had no issues at all. but We can login to SSAS service locally wihtout any issues. when we are connecting the analysis services from the other machines(servers)
it is givng the below error.
Authentication failed. (Microsoft.AnalysisServices.AdomdClient)
The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)
1) it is a stand alone server
2) it is connecting to default instance but not to a named instance
3) SPN's were set correctly. Double checked with the tool(MS Kerberos configuration Tool).
4) The SQL server analysis start account has domain admin privileges.
5) we can connect to Database services from the other machine remotely.
6) none of the analysis services are connecting.
Thank you in advance.Hi Ramu,
According to your description, you migrated SQL Server to another server, everything works fine except that cannot connect to SSAS remotely with the error, right?
Authentication failed. (Microsoft.AnalysisServices.AdomdClient)
The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)
Based on my research, this issue is caused by that the SPN for account that run the Analysis Services is corrupt. You said that the SPN were set correctly, however the error message indicate that the problem is related to SPN. So in your scenario, you can
delete the SPN under the service account, and register SPN for Analysis Services instance. Please refer to the link below to see the details.
http://msdn.microsoft.com/en-IN/library/dn194200.aspx
Besides, here is a blog which describe the similar issue.
http://www.wolfsoftwaresystems.com/code/sql/the-target-principal-name-is-incorrect-microsoft-analysisservices-adomdclient/
Regards,
Charlie Liao
TechNet Community Support -
Demote Server and Remove AD DS Role fails with "the target principal name is incorrect"
Hi all,
I am attempting to demote a domain controller so i can remove the AD DS role and have the server just its own workstation.
This domain controller has never replicated the domain and DS services were/are not working. We didnt discover this until the other domain controller died and has since been rebuilt with a brand new domain. The old domain no longer exists whatsoever.
So as said, I'm trying to demote this server, there is no domain to tidy up afterwards. However even with force removal option I'm getting the DFS Replication error: "the target principal name is incorrect". I do not exactly require
it do this myself, there is nothing to replicate anymore, i just need the DC demoted or role completely removed. There are no other DC's to transfer FSMO's or anything like that as its to be completely stand-alone.
Does anyone have any ideas how this role can be forcibly removed other than using the " force removal option " in ADDS config wizard?
Any help will be gratefully appreciated.
Thanks in advance
PhillHi Phill,
You can try to use Ntdsutil.exe to perform metadata cleanup.
If this doesn’t work, then I agree with Ed that you would need to reinstall the machine.
More information for you:
Clean Up Server Metadata
http://technet.microsoft.com/en-us/library/cc816907(v=WS.10).aspx#bkmk_commandline
Best Regards,
Amy -
Limitation on principal name length due to propagation?
Is there a limitation on the java.security.Principal name length due to the underlying
implementation of the security context propagation, even though it is a java.lang.String?
Thanks,
Guillaume BedardIs there a limitation on the java.security.Principal name length due to the underlying
implementation of the security context propagation, even though it is a java.lang.String?
Thanks,
Guillaume Bedard -
How to add a service account in SQL Server to display the "Service Account Name" and "Display Name"
Can someone
help with steps on how to add the following in SQL Server 2012 environments?<o:p></o:p>
"Service Account Name" and "Display Name"<o:p></o:p>
Your help will be greatly appreciated.<o:p></o:p>
leonie6214Hello,
Is the following article what you are looking for?
http://msdn.microsoft.com/en-us/library/ms345578.aspx
If not, could you explain a little bit more what you want to accomplish?
Hope this helps.
Regards,
Alberto Morillo
SQLCoffee.com -
No service user name found for Integration Server
Hi All,
Our XI is in production..once in a while (once in every 3 weeks) messages get fail saying: No service user name found for Integration Server. When we re-start J2EE engine, messages get processed fine. Does anyone know the reason for the above error?
<SAP:AdditionalText>3:No service user name found for Integration Server is.00.******<S/AP:AdditionalText>
<SAP:Stack>Error when reading the access data(URL, user, password)
Thanks
IndrasenaHi,
did you configure your adapters like IDoc, RFC based on the SAP service user created in the SAP system ? i,e RFC destination etc..
did you check pipeline url is correct in the SLD>Business System><Integration Server> and check the url. It should have http port.
Also check this thread-
sRFC-adapter and file adapter with error: no adapter found
Regards,
moorthy -
I need to be able to use wildcards in some principal names in the policy file.
I tried to solve it with the equal() method in my Principal class, but it does not work. Where is the principal names (values) in the policy file compared to the names of the principals of the same type in the subject?
I see two possible solutions, but I would prefere another solution. What do you think? These are my solutions:
1) Let my principal class implement com.sun.security.auth.PrincipalComparator in addition to java.security.Principal.
2) Some how solve it with the implies() method in the Permission classes. (How?)
Pleas help!The comparison is done inside the sun.security.provider.PolicyFile implementation (the default implementation of java.security.Policy).
PolicyFile calls Principal.getClass().getName() along with Principal.getName(), and then compares those values to the class name and principal name listed in the policy file. Note that these are simply String comparisons (they are not done using Principal.equals).
That means you are left with the following choices. You can implement PrincipalComparator, as you mentioned, or you can extend and replace the PolicyFile implementation.
Alternatively, there is one obscure feature in PolicyFile that is not well documented. It supports a minimal amount of wildcarding. Specifically:
grant Principal com.foo.Principal * {
grant Principal * * {
If the principal class is wildcarded, then the principal name must also be wildcarded (this is the second example above). Unfortunately this may not give you the level of wildcarding that you desire.
If the permissions you want to grant are all custom permissions (you have control over the implementation), then it may be possible to design them in a way to achieve what you want. Look at javax.security.auth.PrivateCredentialPermission. That permission encapsulates principals inside of its target name. You would have to design your custom permission class to have a similar syntax, and then the implies method could perform the correct logic for principal name wildcarding.
In this particular case, since the policy file grant statement does not contain principal information (see the example in the PrivateCredentialPermission javadocs), the String comparison that I described above does not occur. Instead, Permission.implies is called, and you have control over that behavior.
Hope that helps. -
Principal Name for Active Directory "Domain Users"
Hi,
I successufully integrated Weblogic & Active Directory Kerberos (SSO). I tested a web application and successifully logined it with authentication.
The system automatically recognized my Active Directory username. It worked.
For authentication in my weblogic.xml I used
<security-role-assignment>
<role-name>admin</role-name>
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
</security-role-assignment>
Now I'm trying to allow all domain members to authenticate my application. For my application I only need the actice directory usernames for them.
For this purpose, I removed "kursat","fenerbahce" from my weblogic.xml
<principal-name>kursat</principal-name>
<principal-name>fenerbahce</principal-name>
I added
<principal-name>Domain Users</principal-name>
instead of writing all domain users.
However I couldn't authenticate. I got the "Error 403--Forbidden"
Is there anyone can help me?test by creating a groups under Domain Users and use it as your principal name in your weblogic.xml
-Faisal
http://www.weblogic-wonders.com -
LCM Migration - Instance name? Shared services project Name ? Data source?
Situation
* We have hyperion 11.1.1.3.24
* Objective - trying to perform a LCM file-migration from our DEV environment to UAT
* DEV has only one PMA enabled Planning Application (“budget”), few FR reports & other related artifacts.
So far
* Successfully Exported these 4 (EPMA, Shared-services, Planning & FR) from our DEV
* When trying to import EPMA into our UAT, noticed the status shows Failed. (Noticed Similar claims have been reported in other posts as well.)
Another dilemma that I have it what should I enter on these Instance Name, Shared services Project name & Data source.
* Instance Name ===> ? Not sure. how to find this?
* Shared services project ===> Haven't created one at all. So, which one should I use OR how to find this out ?
* Data Source ===> I guess, this would be the EPMA repository database name ?
Although I can Migrate all the Artifacts into our UAT (as identical to our DEV), Migration status has shown as "Failed". Is this because of the fact I skipped the Destination options with blank values (for Instance, shared-services & data-source). Has anyone ever had success on this Migration step.
OR Should I disregard this migration status, just because we can see all identical artifacts in our UAT.
Any help would be greatly appreciated.If you log into EPMA and pick an application and select deploy (don't worry you don't have to deploy you can cancel it before you do so),
it will display a popup which will have the
Instance Name (usually default), Shared Services Project (drop down will display different application groups available), Data Source (this is the name you gave when you created the datasource for the application)
Cheers
John
http://john-goodwin.blogspot.com/
Maybe you are looking for
-
HT4847 can you share icloud storage space with a family member?
I used to have MobileMe family, and my wife and I are now both receiving alerts that we are running out of icloud space. Can you buy a shared icloud plan? Thanks
-
Applescript: open Pages doc from Templete, change filename and replace text
Hi! I just got started with applescript and i want a script that does the following: 1. open "choose from list" dialog to choose the topic of my document from 4 possibilities (here for example A, B, C, D) 2. open document from TemplateXY 3. set docum
-
Ok so i got the board and the crucial RAM with a new enermax 450W power supply. I am running the 1MB A64 3400+ CG on this board. I am using the Seagate cheetah 15.3K SCSI drive with a LSI 21320 SCSI controller (http://www.lsilogic.com/products/ultra3
-
Preset Preview on Second Monitor
I would like to take this opportunity to submit a feature request that would make it possible to preview how a preset would look like on a second monitor. As it currently stands you can preview the effect in the small image above the preset list. Unf
-
Whenever I access Yahoo! Mail, the page opens normally. When the Flash Video advertisement starts, about halfway through or sooner, it stops and the entire window freezes. I wait up to two minutes and still nothing happens. I end up having to use Cnt