Event ID 11 — Service Principal Name Configuration

Applies To: Windows Server 2008

Service principal names (SPNs) are stored as a property of the associated account object in Active Directory Domain Services (AD DS). An SPN is used by Kerberos to uniquely identify an account that is requesting access to a resource.

Event Details

Product: Windows Operating System
ID: 11
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Version: 6.0
Symbolic Name: KDCEVENT_NAME_NOT_UNIQUE
Message: The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is %1 (of type %2). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for %1 in Active Directory.

Resolve

Remove the duplicate service prinicipal name

Each service principal name (SPN) must be unique. Without unique principal names, the Kerberos client is not able to ensure that the server it is communicating with is the correct one. You must identify the duplicate SPN, and then remove it.

To perform these procedures, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

Identify the duplicate SPN

To identify the duplicate SPN:

  1. Log on to the computer referenced in the event log message. If this computer is not running Windows Server 2008, you must download and install the Windows Server 2003 Resource Kit, which includes setspn.exe.
  2. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Type setspn -X.
  5. The output of this command will show the duplicate SPNs.
  6. Use the following procedure to remove one of the duplicate SPNs.

Remove an SPN

To remove an SPN:

  1. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. Type setspn -D<SPN> <computer_name>, where SPN is the name of the duplicate SPN and computer_name is the name of the computer that is assigned the duplicate SPN.

Verify

To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

To verify that the service principal name (SPN) was configured correctly:

  1. Log on to a domain controller.
  2. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Type setspn -L <computer_name>, where computer_name is the name of the computer referenced in the event log message.
  5. The output of this command will show the SPN configured for this computer.
  6. If there are no duplicate entries, the SPNs are configured correctly.

Service Principal Name Configuration

Core Security