2012R2 DC - AD LDS Service Principal Names - Duplicates

Similar Messages

• SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated

  We are getting this below alert message, while using SCOM 2012 R2.  Anybody have any idea how to resolve this on the SQL box ?
  Thx...
  SQL Server cannot authenticate using Kerberos because the Service Principal Name (SPN) is missing, misplaced, or duplicated.
  Service Account: NT Service\MSSQL$SQLEXPRESS
  Missing SPNs:
  Misplaced SPNs: MSSQLSvc/mysqlbox.com:SQLEXPRESS - sqldbadmin
  Duplicate SPNs:

  To Fix this issue, You can check below links
  http://support.microsoft.com/kb/2443457/EN-US
  http://www.scomgod.com/?p=155
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"Mai Ali | My blog:
  Technical | Twitter:
  Mai Ali

• I need a Microsoft document that says "sqlservr.exe" can register setspn (Service Principal Name)

  On all of my SQL Server instances, I can find SQL server error logs that have the same 3 entries below, so while I already know it can, I need a Microsoft document that says "sqlservr.exe" can so I can convince the network guys to grant the service
  account for SQL "Write servicePrincipalName: Allow" in AD.
  63           2014-06-26 20:24:02.980                Server   The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/DFW-MSSQLDW.PathologyPartners.intranet:1433
  ] for the SQL Server service. Windows return code: 0x2098, state: 20. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication
  is required by authentication policies and if the SPN has not been manually registered.
  61           2014-06-26 20:24:02.970                Server   The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/DFW-MSSQLDW.PathologyPartners.intranet:DW
  ] for the SQL Server service. Windows return code: 0x2098, state: 20. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication
  is required by authentication policies and if the SPN has not been manually registered.
  38           2014-06-26 20:24:02.840                Server   SQL Server is attempting to register a Service Principal Name (SPN) for the SQL Server service. Kerberos authentication will not
  be possible until a SPN is registered for the SQL Server service. This is an informational message. No user action is required.
  Duane Lawrence

  Refer the below article
  http://blogs.msdn.com/b/psssql/archive/2010/03/09/what-spn-do-i-use-and-how-does-it-get-there.aspx
  Automatic SPN Registration
  When an instance of the SQL Server Database Engine starts, SQL Server tries to register the SPN for the SQL Server service. When the instance is stopped, SQL Server tries to unregister the SPN. For a TCP/IP connection the SPN is registered in the format MSSQLSvc/<FQDN>:<tcpport>.Both
  named instances and the default instance are registered as MSSQLSvc, relying on the <tcpport> value to differentiate the instances.
  --Prashanth

• Service principal names of user are not unique; check the active directory

  Hello Experts,
  My company had set up this service principal account to use with Kerberos and I am trying to configure the authentication template using SPNEGO wizzard.  The format of the service account is not the same as SAP recommened (J2EE-SID-DOMAIN) but something like abc_de_portal.  After trying to use that account with the wizzard I am getting this error "Service principal names of user abc_de_portal are not unique; check the active directory configuration."  I am not sure what else in the AD attributes is causing the problem.  Please let me know if you have ran into similar issue and how did you corrected.  Points will be rewarded of course. 
  Thank you so much for any help that I can get.

  Hello Duy,
    SPN of the service user for kerberos has to be unique as you would have made out from the message . There seems to be
  someother user having the SPN as yours.
  You would have to find the other AD user with the same SPN as yours and then de register that with
  setspn u2013d <SPN> Username
  Then this error should not come up after that .
  There was a tool called Ldifde  which you can use for this. We have our AD team do this for us. Would be better if you ask them to carry this out.
  Rgds

• Service principal names of user j2ee- SID are not unique

  Hi everyone,
  I am trying to configure the SPNego, following the guide below Configuring and troubleshooting SPNego -- Part 1
  but I'm getting an error that I have not been solved
  then pictures of the developments so far:
  [step 1|http://imageshack.us/photo/my-images/807/59238690.jpg/]
  [Step 2|http://imageshack.us/photo/my-images/804/55731867.jpg/]
  [Step 3|http://imageshack.us/photo/my-images/27/73007146.jpg/]
  Test following and has not worked
  http://help.sap.com/saphelp_em70/helpdata/en/45/59b55b943909cae10000000a114a6b/content.htm
  thanks
  Manuel

  Hi, Manuel!
  Check these threads for solution:
  Service principal names of user are not unique; check the active directory
  Service Principal Names of Users j2ee-MDS-tcsm3 not in unique-Check ADC
  Regards, Mikhail.

• Is a service principal name (SPN) bound to a specific machine?

  At the moment I am getting a KrbException: Integrity check on decrypted field failed (31) with my GSS demo application (on the server side). Now I am looking for the reason for this. I have the suspicion, that it comes from the fact that
  1. the client and the server application run on the same machine (localhost) and/or
  2. the SPN was generated for another machine (computer)
  The second means that the service principal was generated for a machine xxx0815.domain.net, so the SPN is HTTP/[email protected]. And my machine is not that one, but I have got the keytab file so that the server's login method succeeds.
  Do I suspect correctly or am I making another mistake?
  Server configuration and source code:
  server.conf
  Server {
      com.sun.security.auth.module.Krb5LoginModule
          required
          isInitiator=false
          doNotPrompt=true
          useKeyTab=true
          keyTab="gssdemo.keytab"
          storeKey=true
          principal="HTTP/[email protected]"
          debug=true;
  };GSSServer.java (omitted the boilerplate stuff)
  GSSManager manager = GSSManager.getInstance();
  GSSName serverName = manager.createName(getServerName(), null);
  GSSCredential serverCred = manager.createCredential(serverName,
                                                      GSSCredential.INDEFINITE_LIFETIME,
                                                      createKerberosOid(),
                                                      GSSCredential.ACCEPT_ONLY);
  GSSContext context = manager.createContext(serverCred);
  System.out.println("Context created successfully. Now incoming tokens could be accepted.");
  ServerSocket serverSocket = new ServerSocket(55555);
  SocketAdapter ca = new SocketAdapter(serverSocket.accept());
  while (!context.isEstablished()) {
      byte[] inToken = ca.readToken();
      byte[] outToken = context.acceptSecContext(inToken, 0, inToken.length);
      if (outToken != null) {
          ca.sendToken(outToken);
  System.out.println("Context established");
  System.out.println("Connected user is: " + context.getSrcName());
  context.dispose();

  Client configuration and source code:
  client.conf
  Client {
      com.sun.security.auth.module.Krb5LoginModule
          required
          useTicketCache=true
          debug=true;
  };GssClient.java (boilerplate omitted)
  GSSManager manager = GSSManager.getInstance();
  GSSName clientName = manager.createName(getClientName(), null);
  GSSCredential clientCred = manager.createCredential(clientName,
                                                      8 * 3600,
                                                      createKerberosOid(),
                                                      GSSCredential.INITIATE_ONLY);
  GSSName serviceName = manager.createName("HTTP/[email protected]", null);
  GSSContext context = manager.createContext(serviceName,
                                             createKerberosOid(),
                                             clientCred,
                                             GSSContext.DEFAULT_LIFETIME);
  context.requestMutualAuth(true);
  context.requestConf(false);
  context.requestInteg(true);
  System.out.println("Establishing context");
  SocketAdapter ca = new SocketAdapter(new Socket("localhost", 55555));
  byte[] inToken = new byte[0];
  while (true) {
      byte[] outToken = context.initSecContext(inToken, 0, inToken.length);
      if (outToken != null) {
          ca.sendToken(outToken);
      if (context.isEstablished()) {
          break;
      inToken = ca.readToken();
  System.out.println("Context established: " + context.isEstablished());
  context.dispose();I have checked the outgoing and incoming network data - it's the same on both sides so I can rule out a problem there.
  The exception I get:
  Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
      at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
      at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
      at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
      at de.westlb.mrm.sandbox.gss.GssServer.acceptAndEstablish(GssServer.java:88)
      at de.westlb.mrm.sandbox.gss.GssServer.run(GssServer.java:66)
      ... 4 more
  Caused by: KrbException: Integrity check on decrypted field failed (31)
      at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)
      at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
      at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)
      at sun.security.krb5.internal.crypto.DesCbcMd5EType.decrypt(DesCbcMd5EType.java:33)
      at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
      at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
      at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
      at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
      at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
      ... 8 more

• Target principal name is incorrect - cannot generate SSPI context

  First off, yes, I've looked at numerous articles on this subject and haven't yet found someone with a similar situation and none of the resolutions I've found seem applicable.
  My situation:  Server 2008R2 Enterprise with SQL 2012 Standard.  I have two instances running on this server, DEV and TEST.  I do not have a default (unnamed) instance.  This is one of the differences between my situation and every other
  article I've looked at.  I AM able to connect remotely to the DEV instance, but the TEST instance give me the SSPI error.  To take it a step further, the SQL services aren't running under domain credentials; they're running under local credentials. 
  These two issues don't match anything I've found on the subject so far.
  I ran "setspn -L" against the server's machine account (since the SQL services are local, not domain) and here's what I got:
  MSSQLSvc/[server FQDN]:49592
  MSSQLSvc/[server FQDN]:TEST
  MSSQLSvc/[server FQDN]:49487
  MSSQLSvc/[server FQDN]:DEV
  WSMAN/[server]
  WSMAN/[server FQDN]
  TERMSERV/[server FQDN]
  TERMSERV/[server]
  RestrictedKrbHost/[server]
  HOST/[server]
  RestrictedKrbHost/[server FQDN]
  HOST/[server FQDN]
  The server is of course a domain member, and we only have a single domain, so there's no cross-domain/forest stuff going on.
  Remotely, SA authentication works against both instances.  Locally, both SA and Windows authentication work against both instances.  Remotely, Windows authentication works against the DEV instance, but not against the TEST instance, returning the
  error "The target principal name is incorrect.  Cannot generate SSPI context."
  Both database have identical settings in the SQL Config Mgr (Shared Memory and TCP/IP enabled).  Both instances are set to allow remote logon.
  The security for the various services:
  SQL Server (DEV) = NT Service\MSSQL$DEV
  SQL Server (TEST) = NT Service\MSSQL$TEST
  SQL Server Agent (DEV) = NT Service\SQLAgent$DEV
  SQL Server Agent (TEST) = NT Service\SQLAgent$TEST
  SQL Server Browser = Local Service
  On both instances, the query "exec xp_readerrorlog 0,1,'could not register the Service Principal Name',Null" comes back with two entries from when the system was installed, saying it was unable to register the SPN.  That makes sense, because
  SQL isn't running with domain credentials, although the SPNs ARE apparently in AD (see above).
  On both instances, the query "select net_transport, auth_scheme from sys.dm_exec_connections where session_id=@@spid" returns the same thing - "shared memory", "NTLM".  Basically, I can find no configuration difference
  between the two instances.
  Anyone got any ideas?

  Hi Todd,
  According to your description, we need to make sure the typed server name is right, and verify if your windows account is valid when you connect to the test instance remotely by using Windows authentication. You can refer to the following steps for checking
  the login name.
  1.Log in the test instance remotely by using sa authentication.
  2. Enter the security and check if the windows account is valid.
  In addition, there is more details about how to troubleshoot the "Cannot generate SSPI context" error message, you can review the article.
  http://support.microsoft.com/kb/811889
  Thanks,
  Sofiya Li
  If you have any feedback on our support, please click here.
  Sofiya Li
  TechNet Community Support

• Authentication failed. (Microsoft.AnalysisServices.AdomdClient). The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)

  Hi Experts,
  We had a task to  migrate SQL Server all the components to another server, the migration went well and had no issues at all. but We can login to SSAS service locally wihtout any issues. when we are connecting the analysis services from the other machines(servers)
  it is givng the below error.
  Authentication failed. (Microsoft.AnalysisServices.AdomdClient)
  The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)
  1) it is a stand alone server
  2) it is connecting to default instance but not to a named instance
  3) SPN's were set correctly. Double checked with the tool(MS Kerberos configuration Tool).
  4) The SQL server analysis start account has domain admin privileges.
  5) we can connect to Database services from the other machine remotely.
  6) none of the analysis services are  connecting.
  Thank you in advance.

  Hi Ramu,
  According to your description, you migrated SQL Server to another server, everything works fine except that cannot connect to SSAS remotely with the error, right?
  Authentication failed. (Microsoft.AnalysisServices.AdomdClient)
  The target principal name is incorrect (Microsoft.AnalysisServices.AdomdClient)
  Based on my research, this issue is caused by that the SPN for account that run the Analysis Services is corrupt. You said that the SPN were set correctly, however the error message indicate that the problem is related to SPN. So in your scenario, you can
  delete the SPN under the service account, and register SPN for Analysis Services instance. Please refer to the link below to see the details.
  http://msdn.microsoft.com/en-IN/library/dn194200.aspx
  Besides, here is a blog which describe the similar issue.
  http://www.wolfsoftwaresystems.com/code/sql/the-target-principal-name-is-incorrect-microsoft-analysisservices-adomdclient/
  Regards,
  Charlie Liao
  TechNet Community Support

• Demote Server and Remove AD DS Role fails with "the target principal name is incorrect"

  Hi all, 
  I am attempting to demote a domain controller so i can remove the AD DS role and have the server just its own workstation.
  This domain controller has never replicated the domain and DS services were/are not working.  We didnt discover this until the other domain controller died and has since been rebuilt with a brand new domain.  The old domain no longer exists whatsoever.
  So as said, I'm trying to demote this server, there is no domain to tidy up afterwards.  However even with force removal option I'm getting the DFS Replication error: "the target principal name is incorrect".  I do not exactly require
  it do this myself, there is nothing to replicate anymore, i just need the DC demoted or role completely removed.  There are no other DC's to transfer FSMO's or anything like that as its to be completely stand-alone.
  Does anyone have any ideas how this role can be forcibly removed other than using the " force removal option " in ADDS config wizard?  
  Any help will be gratefully appreciated.
  Thanks in advance
  Phill

  Hi Phill,
  You can try to use Ntdsutil.exe to perform metadata cleanup.
  If this doesn’t work, then I agree with Ed that you would need to reinstall the machine.
  More information for you:
  Clean Up Server Metadata
  http://technet.microsoft.com/en-us/library/cc816907(v=WS.10).aspx#bkmk_commandline
  Best Regards,
  Amy

• Limitation on principal name length due to propagation?

  Is there a limitation on the java.security.Principal name length due to the underlying
  implementation of the security context propagation, even though it is a java.lang.String?
  Thanks,
  Guillaume Bedard

  Is there a limitation on the java.security.Principal name length due to the underlying
  implementation of the security context propagation, even though it is a java.lang.String?
  Thanks,
  Guillaume Bedard

• How to add a service account in SQL Server to display the "Service Account Name" and "Display Name"

  Can someone
  help with steps on how to add the following in SQL Server 2012 environments?<o:p></o:p>
  "Service Account Name" and "Display Name"<o:p></o:p>
  Your help will be greatly appreciated.<o:p></o:p>
  leonie6214

  Hello,
  Is the following article what you are looking for?
  http://msdn.microsoft.com/en-us/library/ms345578.aspx
  If not, could you explain a little bit more what you want to accomplish?
  Hope this helps.
  Regards,
  Alberto Morillo
  SQLCoffee.com

• No service user name found for Integration Server

  Hi All,
  Our XI is in production..once in a while (once in every 3 weeks) messages get fail saying: No service user name found for Integration Server. When we re-start J2EE engine, messages get processed fine. Does anyone know the reason for the above error?
  <SAP:AdditionalText>3:No service user name found for Integration Server is.00.******<S/AP:AdditionalText>
  <SAP:Stack>Error when reading the access data(URL, user, password)
  Thanks
  Indrasena

  Hi,
  did you configure your adapters like IDoc, RFC based on the SAP service user created in the SAP system ? i,e RFC destination etc..
  did you check pipeline url is correct in the SLD>Business System><Integration Server> and check the url. It should have http port.
  Also check this thread-
  sRFC-adapter  and file adapter with error: no adapter found
  Regards,
  moorthy

• Wildcards in principal names

  I need to be able to use wildcards in some principal names in the policy file.
  I tried to solve it with the equal() method in my Principal class, but it does not work. Where is the principal names (values) in the policy file compared to the names of the principals of the same type in the subject?
  I see two possible solutions, but I would prefere another solution. What do you think? These are my solutions:
  1) Let my principal class implement com.sun.security.auth.PrincipalComparator in addition to java.security.Principal.
  2) Some how solve it with the implies() method in the Permission classes. (How?)
  Pleas help!

  The comparison is done inside the sun.security.provider.PolicyFile implementation (the default implementation of java.security.Policy).
  PolicyFile calls Principal.getClass().getName() along with Principal.getName(), and then compares those values to the class name and principal name listed in the policy file. Note that these are simply String comparisons (they are not done using Principal.equals).
  That means you are left with the following choices. You can implement PrincipalComparator, as you mentioned, or you can extend and replace the PolicyFile implementation.
  Alternatively, there is one obscure feature in PolicyFile that is not well documented. It supports a minimal amount of wildcarding. Specifically:
  grant Principal com.foo.Principal * {
  grant Principal * * {
  If the principal class is wildcarded, then the principal name must also be wildcarded (this is the second example above). Unfortunately this may not give you the level of wildcarding that you desire.
  If the permissions you want to grant are all custom permissions (you have control over the implementation), then it may be possible to design them in a way to achieve what you want. Look at javax.security.auth.PrivateCredentialPermission. That permission encapsulates principals inside of its target name. You would have to design your custom permission class to have a similar syntax, and then the implies method could perform the correct logic for principal name wildcarding.
  In this particular case, since the policy file grant statement does not contain principal information (see the example in the PrivateCredentialPermission javadocs), the String comparison that I described above does not occur. Instead, Permission.implies is called, and you have control over that behavior.
  Hope that helps.

• Principal Name for Active Directory "Domain Users"

  Hi,
  I successufully integrated Weblogic & Active Directory Kerberos (SSO). I tested a web application and successifully logined it with authentication.
  The system automatically recognized my Active Directory username. It worked.
  For authentication in my weblogic.xml I used
  <security-role-assignment>
  <role-name>admin</role-name>
  <principal-name>kursat</principal-name>
  <principal-name>fenerbahce</principal-name>
  </security-role-assignment>
  Now I'm trying to allow all domain members to authenticate my application. For my application I only need the actice directory usernames for them.
  For this purpose, I removed "kursat","fenerbahce" from my weblogic.xml
  <principal-name>kursat</principal-name>
  <principal-name>fenerbahce</principal-name>
  I added
  <principal-name>Domain Users</principal-name>
  instead of writing all domain users.
  However I couldn't authenticate. I got the "Error 403--Forbidden"
  Is there anyone can help me?

  test by creating a groups under Domain Users and use it as your principal name in your weblogic.xml
  -Faisal
  http://www.weblogic-wonders.com

• LCM Migration - Instance name?  Shared services project Name ? Data source?

  Situation
  * We have hyperion 11.1.1.3.24
  * Objective - trying to perform a LCM file-migration from our DEV environment to UAT
  * DEV has only one PMA enabled Planning Application (“budget”), few FR reports & other related artifacts.
  So far
  * Successfully Exported these 4 (EPMA, Shared-services, Planning & FR) from our DEV
  * When trying to import EPMA into our UAT, noticed the status shows Failed. (Noticed Similar claims have been reported in other posts as well.)
  Another dilemma that I have it what should I enter on these Instance Name, Shared services Project name & Data source.
  * Instance Name ===> ? Not sure. how to find this?
  * Shared services project ===> Haven't created one at all. So, which one should I use OR how to find this out ?
  * Data Source ===> I guess, this would be the EPMA repository database name ?
  Although I can Migrate all the Artifacts into our UAT (as identical to our DEV), Migration status has shown as "Failed". Is this because of the fact I skipped the Destination options with blank values (for Instance, shared-services & data-source). Has anyone ever had success on this Migration step.
  OR Should I disregard this migration status, just because we can see all identical artifacts in our UAT.
  Any help would be greatly appreciated.

  If you log into EPMA and pick an application and select deploy (don't worry you don't have to deploy you can cancel it before you do so),
  it will display a popup which will have the
  Instance Name (usually default), Shared Services Project (drop down will display different application groups available), Data Source (this is the name you gave when you created the datasource for the application)
  Cheers
  John
  http://john-goodwin.blogspot.com/