Share iT…

After a migration to a SBS 2011 server I got the following event error message:

Event ID: 11, Source: Kerberos-Key-Distribution-Center
The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is RPCSS/Pc.domain.local (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for RPCSS/Pc.domain.local in Active Directory.

This will occur when two or more computer accounts have the same service principal name registered.

Solution:
Run the following command from a command prompt:

ldifde -f check_SPN.txt -t 3268 -d “” -l servicePrincipalName -r “(servicePrincipalName=HOST/pc.domain.local*)” -p subtree

Change the pc.domain.local with the name given in the event log.

The outcome will give you two or more entries like this:

dn: CN=PC1,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC= domain,DC=local
changetype: add
servicePrincipalName: HOST/PC1
servicePrincipalName: HOST/Pc1.domain.local

dn: CN=PC2,OU=SBSComputers,OU=Computers,OU=MyBusiness,DC=domain,DC=local
changetype: add
servicePrincipalName: HOST/PC2
servicePrincipalName: HOST/Pc1.hessingnl.local

As you see both (or all) will have the same Service principal name.

In my case the additional computers with the wrong service principal name didn’t exist anymore only in Active directory users and computers, so I could just delete those computer accounts.
If the computers still exist you can remove the affected computers from your domain and re join them or use adsiedit and change the service principal name to the right value.

Additional information can be found here: kb 321044

• Delicious