cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos warning about duplicate names MSSQLSvc/<server_name>:dlo and *:dedup

dss_thinktank
Level 4

In Windows Server 2008 R2 system log there are following kind of periodical errors:

For MSSQLSvc/<server_fqdn>:dlo

   Event 3:

  • Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
  • Extended Error: 0xc0000035 KLIN(0)
  •  
  • Server Name: MSSQLSvc/<server_fqdn>:dlo
  • Target Name: MSSQLSvc/<server_fqdn>:dlo@<domain>

   Event 11:

  • The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/<server_fqdn>:dlo (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for MSSQLSvc/<server_fqdn>::dlo in Active Directory.

For MSSQLSvc/<server_fqdn>:DEDUPE:

  • Similar kind of events 3 and 11 as above but with name "dedupe"

History:

I remember these have started after I installed DLO 7.5 on server where I had BE2010R3 but I am not sure if messages are related to this action at all. Prior to doing that I removed the DLO version which was delivered with BE2010. Installation of DLO7.5 was succesfull. Now I have upgraded from BE2010R3 to BE2014, and messages are still there.

I was able to locate words "DEDUPE" and "DLO" using program "ldp.exe" and search rule "(objectClass=*)" for whole domain (http://blog.sysoptools.com/2010/03/find-and-list-duplicate-upn.html).

First pair is under:

  • "Dn: CN=Administrator,CN=Users,DC=<domain_name>,DC=local"
  • . . .
  • servicePrincipalName (6):
     MSSQLSvc/<server_fqdn>:52535;
     MSSQLSvc/<server_fqdn>:BKUPEXEC;
     MSSQLSvc/<server_fqdn>:59387;
     MSSQLSvc/<server_fqdn>:DEDUPE;
     MSSQLSvc/<server_fqdn>:58585;
     MSSQLSvc/<server_fqdn>:DLO;

Second one is under:

  • "Dn: CN=<server>,OU=Domain Controllers,DC=<domain_name>,DC=local"
  • . . .
  • servicePrincipalName (28):
      MSSQLSvc/<server_fqdn>:58585;
      MSSQLSvc/<server_fqdn>:DLO;
      MSSQLSvc/<server_fqdn>:59387;
      MSSQLSvc/<server_fqdn>:DEDUPE;
      MSSQLSvc/<server_fqdn>:52535;
      {14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/<server>;
      {14E52635-0A95-4a5c-BDB1-E0D0C703B6C8}/<server_fqdn>;
      ldap/<server_fqdn>/ForestDnsZones.<domain_name>.local;
      ldap/<server_fqdn>/DomainDnsZones.<domain_name>.local;
      TERMSRV/<server>; TERMSRV/<server_fqdn>;
      Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/<server_fqdn>;
      DNS/<server_fqdn>; GC/<server_fqdn>/<domain_name>.local;
      RestrictedKrbHost/<server_fqdn>;
      RestrictedKrbHost/<server>;
      HOST/<server>/<domain_name>;
      HOST/<server_fqdn>/<domain_name>;
      HOST/<server>; HOST/<server_fqdn>;
      HOST/<server_fqdn>/<domain_name>.local;
      E3514235-4B06-11D1-AB04-00C04FC2DCD2/056f2fae-9957-4a88-8556-40664dd7244c/<domain_name>.local;
      ldap/<server>/<domain_name>;
      ldap/056f2fae-9957-4a88-8556-40664dd7244c._msdcs.<domain_name>.local;
      ldap/<server_fqdn>/<domain_name>; ldap/<server>;
      ldap/<server_fqdn>;
      ldap/<server_fqdn>/<domain_name>.local;

In "Active Directory Users and Computers" I can find attribute "servicePrincipalName" in user "Administrator" and server "<server>" properties under tab "Attribute editor" (set "Filter" so that everything is displayed).

Are these two places for names DEDUPE and DLO somehow conflicting and causing the error messages.. or what is this about... what is the reason for messages 3 and 11?

Something should be removed , but what is it and how? .... What should I do to get rid of these errors?

Help is highly appreciated.

 

7 REPLIES 7

pkh
Moderator
Moderator
   VIP    Certified
I remember that I once have duplicates like these and it is a complicated process to remove one of the entries. You have to search the Net for the procedure and follow it to remove one of the entries

dss_thinktank
Level 4

Based on document http://technet.microsoft.com/en-us/library/cc733945(v=ws.10).aspx removal can be done like this:

  • find:       setspn -X
  • remove: setspn -D  <SPN> <computer_name>
  • verify:    setspn -L <computer_name> | <user_name>

 I think that removal might be possible also using "Active Directory Users and Computers" in "Properties" => "Attribute editor" page of user "adminstrator" and computer "<computer_name>".

List of DLO and DEDUPE duplicates:

C:\Users\Administrator>setspn -X
Checking domain DC=<domain_name>,DC=local
Processing entry 0
MSSQLSvc/<server_name>.<domain_name>.local:DLO is registered on these accounts:
        CN=Administrator,CN=Users,DC=<domain_name>,DC=local
        CN=<server_name>,OU=Domain Controllers,DC=<domain_name>,DC=local

MSSQLSvc/<server_name>.<domain_name>.local:58585 is registered on these accounts:
        CN=Administrator,CN=Users,DC=<domain_name>,DC=local
        CN=<server_name>,OU=Domain Controllers,DC=<domain_name>,DC=local

MSSQLSvc/<server_name>.<domain_name>.local:DEDUPE is registered on these accounts:
        CN=Administrator,CN=Users,DC=<domain_name>,DC=local
        CN=<server_name>,OU=Domain Controllers,DC=<domain_name>,DC=local

MSSQLSvc/<server_name>.<domain_name>.local:59387 is registered on these accounts:
        CN=Administrator,CN=Users,DC=<domain_name>,DC=local
        CN=<server_name>,OU=Domain Controllers,DC=<domain_name>,DC=local

MSSQLSvc/<server_name>.<domain_name>.local:52535 is registered on these accounts:
        CN=Administrator,CN=Users,DC=<domain_name>,DC=local
        CN=<server_name>,OU=Domain Controllers,DC=<domain_name>,DC=local

found 5 groups of duplicate SPNs.
C:\Users\Administrator>

Now the question still remains: because the other duplicate is under Administrator and the other one under server <server_name>, which one should I remove?

pkh
Moderator
Moderator
   VIP    Certified

This is the hairy part.  I can't remember which one I removed.  You got to check for entries similiar to these pairs and decide which one to delete.

pkh
Moderator
Moderator
   VIP    Certified

BTW, this problem can occur with any entry and is not restricted to BE and DLO.  Mine was entires from some Microsoft software.

Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

FYI I am not aware that Backup Exec creates any SQL instances/databases called DEDUPE. The Backup Exec deduplication database uses Postgres and not SQL

 

EDIT: however the newer versions of DLO also have a form of Deduplication and as such both databases may be from DLO and be related.

 

You should probably log a forum post in the actual DLO forum instead of the Backup Exec one (and/or log a formal support case)

 

DLO forum = https://www-secure.symantec.com/connect/backup-and-recovery/forums/desktop-laptop-option

 

 

dss_thinktank
Level 4

Command "setspn -X" should tell the location of conflicting duplicate entries. There are no more than those listed above.

dss_thinktank
Level 4

I had a support case open for this with no clear results.

Issues encountered when DLO7.5SP1 is installed on same server with BE2014 (originally version has been BE2010R3):

  • kerberos warnings seem to be somehow related to "Log On As" account of SQL instances DLO+ DEDUPE (and also BKUPEXEC), if this was set to anything else but "System account", it would cause duplicate SPN's and kerberos warnings in windows system log
  • removing DLO completely was succesfull but after that BE2014 would not start at all. I managed to get it to work by doing "repair" install for BE2014
  • SQL services for DLO + DEDUPE was left on server after uninstall of DLO, these could not be removed manually from SQL program either