Error Event ID 11 The KDC encountered duplicate names while processing a Kerberos authentication request.
I've been noticing The Error with event ID 11 popping up a lot on our domain controllers:
The KDC encountered duplicate names while processing a Kerberos authentication request.
When running setspn -X it says that it found 111 groups of duplicate SPNs. However, when going through the list, it references domain service accounts that are used to run our SQL Server services. We have about 50 remote locations and each of them has 3
machines participating in a SQL mirror (principal, mirror, witness) and they all run the SQL Server service on the same account (1 account per location).
We haven't experienced any issues at all but I was wondering if this could cause problems or if we are straying from best practice. Any advice is welcome. Thanks!
I believe what you should do to follow best practice is to provide unique SPNs for each SQL server, which will also provide increased security, and to do that you must create individual service account for each SQL server so it can associate that
account with that server's SPN.
Here's more on it to help guide you. Read Paul's comments, as well as other suggestions in the following thread:
event ID 11 There are multiple accounts with name MSSQLSvc/xxxxxx
http://social.technet.microsoft.com/Forums/windowsserver/en-US/8df35316-23ba-48ba-aa3e-2249fcbfecbc/event-id-11-there-are-multiple-accounts-with-name-mssqlsvcxxxxxx?forum=winserverDS
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Similar Messages
-
HI
we have a sharepoint farm and in domain controller server, this error is in event viewer
Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Date: 9/15/2014 10:44:15 PM
Event ID: 11
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: XXXAPP01.xxxportal.com
Description:
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is HTTP/XXXWFE01.xxxportal.com (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent
this from occuring remove the duplicate entries for HTTP/XXXWFE01.xxxportal.com in Active Directory.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" />
<EventID Qualifiers="49152">11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-09-15T19:44:15.000000000Z" />
<EventRecordID>131824</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>XXXAPP01.xxxportal.com</Computer>
<Security />
</System>
<EventData>
<Data Name="Name">HTTP/XXXWFE01.xxxportal.com</Data>
<Data Name="Type">DS_SERVICE_PRINCIPAL_NAME</Data>
<Binary>
</Binary>
</EventData>
</Event>
adilHi adil,
Service principal names (SPNs) are stored as a property of the associated account object in Active Directory
Domain Services (AD DS). I noticed that you have used setpn –X to identify the duplicate SPN. Please refer to following articles and check if help you to solve this issue.
Event ID 11 — Service Principal
Name Configuration
Event ID 11 in the System log of domain controllers
Please also refer to following article and check if can help you.
The problem with duplicate SPNs
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft
does not guarantee the accuracy of this information.
If any update, please feel free to let me know.
Hope this helps.
Best regards,
Justin Gu -
KDC encountered duplicate names while processing a Kerberos authentication request
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is RPCSS/HKHVS01 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent
this from occuring remove the duplicate entries for RPCSS/HKHCS01 in Active Directory.
- What the error means ??
- Why happen ??
- How to fix it ??
ThanksThis is an SPN problem. Having duplicate SPNs will result in Kerberos failures and a downgrade to NTLM authentication. Please run
setspn -x to get the list of duplicated SPNs. Once identified, you need to remove the duplicated ones.
You can also see that:
http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx
http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-2.aspx
http://blogs.technet.com/b/askds/archive/2008/06/09/kerberos-authentication-problems-service-principal-name-spn-issues-part-3.aspx
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
I am getting the event (below) every day on a new 2008 domain controller that I brought up recently. The DC has a domain controller certificate, that was automatically issued by an online enterprise CA. This CA is located in another domain (child domain) within the same forest. The 2008 DC is in the top-lvel domain. None of the other domain controllers , which are 2003, are reporting this message. I ran certutil.exe, and it successfully verifies all domain controller certificates, including the certificate on my new 2008 DC. Any ideas why these messages continue to appear?
The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.Hi,
I have checked the file. Here is my findings:
1. The computer name of the domain controllers are different in this dcinfo.txt file. There is no Swampoak. I would like to confirm which one is Windows Server 2008 domain controller.
2. The domain controller Buckeye and Madrone both have 2 KDC certificates, one is expired and the other one is valid:
*** Testing DC[0]: MADRONE
** KDC Certificates for DC MADRONE
Certificate 0: -à Valid
Serial Number: 116bbdd90000000000b6
Issuer: ***
NotBefore: 12/15/2008 2:28 AM
NotAfter: 12/15/2009 2:28 AM
Subject: CN=madrone.****
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Certificate 1: --à Expired
Serial Number: 15c2f00b000000000028
Issuer: ****
NotBefore: 3/9/2007 3:05 PM
NotAfter: 3/8/2008 3:05 PM
Subject: EMPTY (DNS Name=madrone.****)
Non-root Certificate
Template: DomainControllerAuthentication, Domain Controller Authentication
*** Testing DC[1]: BUCKEYE
** KDC Certificates for DC BUCKEYE
Certificate 0: -à Expired
Serial Number: 15c4ddc2000000000029
Issuer: *****
NotBefore: 3/9/2007 3:07 PM
NotAfter: 3/8/2008 3:07 PM
Subject: EMPTY (DNS Name=buckeye.****)
Non-root Certificate
Template: DomainControllerAuthentication, Domain Controller Authentication
Certificate 1: -à Valid
Serial Number: 115f34ec0000000000b4
Issuer: ****
NotBefore: 12/15/2008 2:15 AM
NotAfter: 12/15/2009 2:15 AM
Subject: CN=buckeye.****
Certificate Template Name (Certificate Type): DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Suggestion:
1. Please delete the expired certificate and then reboot the domain controller and test the issue again.
2. If the issue persists, please request a new Domain Controller Authentication certificate on the domian controller and check the result. -
How to set the status of an Workitem, while processing?
Hi,
My requirement is to set/ Change the workitem status after/ while procecssing if certain condition is not met for all the users. I have one workitem assigned to multiple users. If any one of the user's executes the workitem, it displays a zprogram, but the user has not taken any action (SAVE), he simply came out of the transaction using "BACK" button. Here the Workitem has been vanished/disappeared from the other two users Inbox, and the workitem is in "In Processu201D Status for the User who executed the workitem. But my requirement is to set the workitem to be in "READY" status for all the users to whom the workitem is assigned; until the user "SAVE" the transaction I need the workitems to be in "READY" status only.
Please suggest me with your ideas to get the above results.
Note: I have used the function modules u201CSAP_WAPI_SET_WORKITEM_STATUS (or) SWW_WI_ADMIN_READY ", to change the status of the workitem while processing, it's throwing an error u201CWork item & locked by user & (enqueue erroru201D.
Thanks in advance,
Ajay KumarThanks Florin,
Your piece of code has worked alot, and it was very helpful in changing the Status of the Workitem to "READY" for all the Users fo the workitem.
Points have been rewarded for your help.
Process: We have acheived this using the "Work Item Exits", Usng "AFTER_EXECUTION" Method.
Note: The Exit will be executed if "exit_cancelled" statement is present/used in the work item method. if not it is not taking to the exit code. I'm unable to find the reason for it. Florin can u please explain this point.
Please check the link for adding the code in Work Item Exits.
http://wiki.sdn.sap.com/wiki/display/ABAP/ProgramExitsIn+Workflow
Please find the Code:
method IF_SWF_IFS_WORKITEM_EXIT~EVENT_RAISED.
Get the context of the workitem
me->wi_context = im_workitem_context.
After execution of the workitem call the method AFTER_EXECUTION
if im_event_name eq swrco_event_after_execution.
me->after_execution( ).
endif.
endmethod.
METHOD AFTER_EXECUTION.
This method acts as the Event Handler for SWRCO_EVENT_AFTER_EXECUTION
DATA: LCL_L_WID TYPE SWW_WIID,
L_STATUS TYPE SWR_WISTAT-STATUS,
L_NEW_STATUS TYPE SWR_WISTAT,
L_SWR_MESSAG TYPE STANDARD TABLE OF SWR_MESSAG,
L_SWR_MSTRUC TYPE STANDARD TABLE OF SWR_MSTRUC.
Get work item
CALL METHOD WI_CONTEXT->GET_WORKITEM_ID
RECEIVING
RE_WORKITEM = LCL_L_WID.
L_STATUS = 'READY'.
CALL FUNCTION 'SAP_WAPI_SET_WORKITEM_STATUS'
EXPORTING
WORKITEM_ID = LCL_L_WID
STATUS = L_STATUS
USER = SY-UNAME
LANGUAGE = SY-LANGU
DO_COMMIT = 'X'
IMPORTING
NEW_STATUS = L_NEW_STATUS
RETURN_CODE = SY-SUBRC
TABLES
MESSAGE_LINES = L_SWR_MESSAG
MESSAGE_STRUCT = L_SWR_MSTRUC.
IF SY-SUBRC EQ 0.
ENDIF.
ENDMETHOD.
Thank You Once Again,
Ajay Kumar Chippa -
Event ID 11 - Encountered Duplicate Names
Hi,
I am getting below error in my DC. A number of this errors with much PC.
- Why this error occurs ??
- How can fix it ??
ThanksHi,
Please follow the link below to find the duplicate SPN and remove it to see if the issue persists:
Event ID 11 — Service Principal Name Configuration
If the above is not helpful, please feel free to let me know.
Best reagrds,
Susie -
MBAM Error Event ID 2 The Remote Endpoint Was Unreachable ErrorCode 0x803d0010
Cannot get a machine to talk to the mbam server.
Machine is encrypted but not reporting to Mbam Server.
Error log:
TimeCreated
[SystemTime]
2014-12-12T07:43:37.411949200Z
EventRecordID
297
Correlation
Execution
[ ProcessID]
168
[ ThreadID]
2444
Channel
Microsoft-Windows-MBAM/Admin
Computer
ABGGBLD02025.bsg.LOCAL
Security
[ UserID]
S-1-5-18
EventData
VolumeId
\\?\Volume{763467f2-2e1e-11e4-ba03-1458d0b73bcb}\
ErrorCode
0x803d0010
ErrorString
The remote endpoint was not reachable.
Machine Details:
OS Name Microsoft Windows 7 Enterprise
Version 6.1.7601 Service Pack 1 Build 7601
Other OS Description Not Available
OS Manufacturer Microsoft Corporation
System Name ABGGBLD02025
System Manufacturer Hewlett-Packard
System Model HP EliteBook Folio 9470m
System Type X86-based PC
Processor Intel(R) Core(TM) i5-3427U CPU @ 1.80GHz, 2301 Mhz, 2 Core(s), 4 Logical Processor(s)
BIOS Version/Date Hewlett-Packard 68IBD Ver. F.48, 13/01/2014
SMBIOS Version 2.7
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume2
Locale United States
Hardware Abstraction Layer Version = "6.1.7601.17514"
User Name BSG\CRackham
Time Zone GMT Standard Time
Installed Physical Memory (RAM) Not Available
Total Physical Memory 2.88 GB
Available Physical Memory 1.43 GB
Total Virtual Memory 5.77 GB
Available Virtual Memory 4.36 GB
Page File Space 2.88 GB
Page File C:\pagefile.sys
Troubleshooting Steps:
1: Removed out of OU and back in again to re-apply GPO
2: BIOS already latest version
Any help or information greatly appreciatedwhat it is not able to talk to? Hardware and recovery or status recovery endpoint? is this the only machine giving problem or there are other machines as well giving you trouble?
are you able to browse the URL from this bad machine? Do this- go to HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement
there will be two URLs one to escrow the recovery password and other for client reporting. make sure you are able to browse through the URL from IE, you should something see like "meta data publishing is disabled".
if it works then you will need to check the logs from helpdesk website,
Mayank Sharma Support Engineer at Microsoft working in Enterprise Platform Support. -
We are using .asmx services for SharePoint features such as comments, and rating.
Service
Feature used
http://<<hostname>>/_vti_bin/socialdataservice.asmx
Commenting, Rating
http://<<hostname>>/_vti_bin/UserProfileService.asmx
For out of box workflows
In SharePoint 2013,
SharePoint – 80 web application is on claims based mode and user is logging in with windows authentication. With logged-in client context used to call SharePoint's default web service, we are getting below error message from
web service (Social data and user profile services).
Server was unable to process request. ---> The corresponding SID in the domain is not part of the intended account type.
When the service is accessed using console application with Visual Studio credentials (logged in user), we are able to access the service. Below is the code snippet
using (SocialDataService
service = new
SocialDataService())
service.Credentials =
CredentialCache.DefaultCredentials;
SocialCommentDetail detail = service.AddComment("<<url>>",
"Test Comment",
null,
null);
Are SharePoint 2013 web services not supporting request coming with claim based authentication web application?
Thanks, Pratik Agrawal (MAQ Software)While this applies to 2010, I believe the same is true with 2013:
http://social.technet.microsoft.com/Forums/sharepoint/en-US/925e5f46-317f-46d3-bc55-c67f07eb2372/call-sharepoint-web-services-using-claimbased-authentication?forum=sharepointgeneralprevious
Trevor Seward
Follow or contact me at...
  
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
How to tune the query for duplicate records while joining the two tables
hi,i am executing the query which has retrieving multiple tables,in which one of them has duplicate record,how to get single record
Not enough info...subject says "tune" the query, message says "write" the query...and where is actual query that you had tried ?
-
What do you do when you down load a $32 dollar audio book and part 2 goes missing during the processing stage and i cant find it anywhere?
If it's not in the Music app on your phone, and you can't find it via the phone's spotlight search screen, then try the 'report a problem' page to contact iTunes Support : http://reportaproblem.apple.com
If the 'report a problem' link doesn't work then you can try contacting iTunes Support via this page : http://www.apple.com/support/itunes/contact/ - click on Contact iTunes Store Support on the right-hand side of the page, then Purchases, Billing & Redemption -
Error While processing the COBRA qualified Life event
Hi All,
We have setup the Termination Life event as a COBRA qualifying life event.
Also setup the a new monthly payroll as the default payroll and set the benefit assignment to Yes at BG level.
I created an employee on 18 aug 2010 , processed new hire life event and enrolled that employee into the COBRA plan named "Be well Medical Plan".
Then When I terminated the employee as on 18oct2010, While Processing The Termination life event, I am getting an Error saying “When determining pay periods, a payroll Id is required. This error has occurred in the following package : ben_distribute_rates.get_periods_between. "
When I searched for this error in metalink ,it says it does not have a payroll id ,but when I check on 19oct2010 using the People->Total Comp Participation->Person Benefits Assignment window, he has got the default payroll attached to his benefits assignment.
Could you please help me to reslove this issue?
Your help is greatly appreciated.
Thank you,
AnuradhaHi Anuradha,
This error comes in many scenarios and there are bug fixes also for them. Please check on all patches available for you apps patchset level having the file benelmen.pkb. You may find a fix for it. (This was a common issue sometime back with suspended/terminated assignments) Also, I suggest logging a SR with oracle asap if your terminated assignment and also the benefits assignment have the correct payrolls attached.
Regards,
Vinayaka -
The system encountered error before Itunes could be configured
Hi, i can't seem to get Itunes 8 to run. Each time after the installer is launched, it has an error message that says "The system encountered error before Itunes could be configured. Your systems has not been modified. To try this application at a later time, please run the installer again."
I am using windows vista home premium and a iTouch
I am running out of ideas
thanks for your help!me too. except now i can't delete all the programs from my computer to reinstall not happy
-
How to: subscribe for the viewer's Error event
I am running a third party report tool and am trying to understand how to comply with their request. My report works fine in all export modes with the exception of export to word at which time it throws a "Index was outside the bounds of the array"
error. This does not occur in any other export mode (i.e., Excel, RTF, TIFF, yada, yada.)
The request from the vendor is " subscribe for the viewer's Error event and the report's Error event to get the exception."
I run Win8.1 and would like to create a subscription to the View Event log to trap the occurrence of this error. I have tried to locate some documentation online as to how I can accomplish this.
Where can I find this information as well as an example?
Tom Mann MCSD C#They seem to be suggesting that the control will raise an error event which you can subscribe to.
myViewer.Error += SomeHandler;
and presumably
private void SomeHandler(object sender, EventArgs a)
// Do some error handling.
If there turns out to be no actual error event then..,..
Can you put a try catch block round code does the export?
I'm guessing maybe not and it's an internal thing in the viewer.
Plan C , let's see now.
Try to find a way to override that button click on the viewer.
Hope that helps.
Recent Technet articles:
Property List Editing ;
Dynamic XAML -
We are receiving the following error Event ID 11903
The Microsoft Operations Manager Expression Filter Module could not convert
the received value to the requested type.
Property Expression: 529;644
Property Value: 529;644
Conversion Type: DataItemElementTypeUnsignedInteger(6)
Original Error: 0x80FF005A
One or more workflows were affected by this.
Workflow name: MomUIGeneratedRule125158e6dd2149fbb8ab76e647986b1c
Instance name: XXXXXX
Instance ID: {40D48D2D-5A62-BC78-2D39-8A15985F5AE2}
Management group: XXXXXX
Any help greatly appreciatedHi Graham,
I am having the same kind of issue in my environment. This event gets logged into all my server logs. But i am unable to find which rule is creating this error. Is there a query to find the rule name from any of the below.
Property Expression: ^(1069)$
Property Value: ^(1069)$
Conversion Type: DataItemElementTypeUnsignedInteger(6)
Original Error: 0x80FF005A
One or more workflows were affected by this.
Workflow name: MomUIGeneratedRule125158e6dd2149fbb8ab76e647986b1c
Instance name: XXXXXX
Instance ID: {40D48D2D-5A62-BC78-2D39-8A15985F5AE2}
Management group: XXXXXX
Jesty -
Executables throw a widows error when you close the application
I have this problem on several of my labview executables. I can open and runt eh program with no errors. But when I close the program by any method, I get a pop up error in windows. Stating:
"Application Name" has encountered a problem and needs to close. We are sorry for the inconvenience.
I get the option to send the info to Microsoft. Another error pops up Stating the following:
WinsockAsyncSelectWindow: Application name.exe - application error
The instruction at "0x7c90e470" referenced memory at "0x03182a2c". The memory could not be "read". Click on CANCEL to debug the program.
This is really annoying... Anyone know why this error is poping up?Hi Jason,
Could you please provide us with some more information regarding your executable?
What version of LV are you using?
How are you stopping the executable (stop button? abort button?) You should always use a stop button, not the abort button (the stop sign looking glyph on the toolbar) to ensure that all of your references have been properly closed.
Do you see this performance when running the executable on the development machine?
Do you get the warning every time, or only some of the time?
What all are you doing in the executable? I'd be curious to know if it was something particular to your code or the environment. One way to test this is to build a "dummy" executable--just one that does something as simple as count iterations, and see if you get the message or not.
Please provide a little more information and we'll do our best to help.
Cheers,
Marti C
Applications Engineer
National Instruments
NI Medical
Maybe you are looking for
-
BLUETOOTH NOT WORKING SHOWING ONLY SEARCHING THE DEVICE BUT NO RESULT?
-
How can I play my ipad through my TEAC speaker
I have a 2/3 year old single TEAC speaker with no airplay functionality. How can I play my ipad through this speaker, preferably without wires Thanks
-
Hi all I have a G4 AGP with ADC/VGA video card ATY Rage(16mb)128pro connected to my 19" X2gen monitor via the VGA port. I'm not getting that sharpness with true colors. I heard DVI is the better video option for true colors and quality. Will i get be
-
HT1752 iMac flat panel 2003 shows airport but does not connect
Hi,iMac flat panel 2003 shows airport but does not connect
-
Why doesnt my composite wires work with 4.2 itouch update?
Since i did the update on my itouch (4.2.1) now i cant watch movies on my tv like i use to,. Does anyone know why? Maybe i can download something?