Stuart's profileStuart Renes: The BlogPhotosBlogListsMore  |  Tools Help |
|
|
June 13 Do you know where your Service Principle Names are?If you've running MOM 2005 or SCOM 2007 and you've ever changed the service account used by the SQL backend server you most likely have a duplicate Service Principal Name on the old service account object. You can find this event on a Domain controller in the System event log. The event may look something like this:
Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center Date: 6/13/2008 1:49:57 PM Event ID: 11 Task Category: None Level: Error Keywords: Classic User: N/A Computer: server.child.domain.com Description: The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is MSSQLSvc/MOMDB.child.domain.com:1433 (of type DS_SERVICE_PRINCIPAL_NAME). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for MSSQLSvc/MOMDB.child.domain.com:1433 in Active Directory. If you see any of these events you can use the following two AD-related tools to verify and remove the duplicate SPN: setspn and ADSIedit.
Run setspn on a DC using the following syntax: setspn -X
This will search for and list all duplicate SPNs. In the output you should look for an entry like this:
MSSQLSvc/momdb.child.domain.com:1433 is registered on these accounts:
CN=newsvcacct,OU=Service Accounts,DC=child,DC=domain,DC=com CN=oldsvcacct,OU=Service Accounts,DC=child,DC=domain,DC=com If you see a duplicate SPN listed, use the ADSIedit tool to remove it from the older (not currently in use) SQL service account. Proceed with caution here! If you're not comfortable making AD configuration changes (or don't have the required AD rights), you'll want to ask your AD administrator for assistance.
|
|
|
