Printable View
There are multiple accounts with name host/gt.gatortechnologies.local of type
DS_SERVICE_PRINCIPAL_NAME - I was told that I need to find the duplicate name
and delete it via ADSI. But I cannot find instructions how to do it in ADSI.
Thank you for any help on it.
You need to use LDAP to find it.
Have a look at the follow KB:
http://support.microsoft.com/default...;EN-US;Q305971
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
"Falcon" <Falcon@discussions.microsoft.com> skrev i meddelandet
news:AB9C32F8-EB95-4317-9FB2-63545AE10C3A@microsoft.com...
> There are multiple accounts with name host/gt.gatortechnologies.local of
> type
> DS_SERVICE_PRINCIPAL_NAME - I was told that I need to find the duplicate
> name
> and delete it via ADSI. But I cannot find instructions how to do it in
> ADSI.
> Thank you for any help on it.
when I search for duplicate name via ldp I get this output:
***Searching...
ldap_search_s(ld, "DC=MyDomain,DC=local", 2,
"serviceprincipalname=HOST/sr1.mydomain.local", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 2 entries:
>> Dn: CN=Administrator,CN=Users,DC=MyDomain,DC=local
4> objectClass: top; person; organizationalPerson; user;
1> cn: Administrator;
1> description: Built-in account for administering the computer/domain;
1> distinguishedName: CN=Administrator,CN=Users,DC=MyDomain,DC=local;
1> name: Administrator;
1> canonicalName: MyDomain.local/Users/Administrator;
>> Dn: CN=sr1,OU=Domain Controllers,DC=MyDomain,DC=local
5> objectClass: top; person; organizationalPerson; user; computer;
1> cn: sr1;
1> distinguishedName: CN=sr1,OU=Domain Controllers,DC=MyDomain,DC=local;
1> name: sr1;
1> canonicalName: MyDomain.local/Domain Controllers/sr1;
What would tell me that I have found it?
Thanx
"Chriss3 [MVP]" wrote:
> You need to use LDAP to find it.
> Have a look at the follow KB:
> http://support.microsoft.com/default...;EN-US;Q305971
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
>
> "Falcon" <Falcon@discussions.microsoft.com> skrev i meddelandet
> news:AB9C32F8-EB95-4317-9FB2-63545AE10C3A@microsoft.com...
> > There are multiple accounts with name host/gt.gatortechnologies.local of
> > type
> > DS_SERVICE_PRINCIPAL_NAME - I was told that I need to find the duplicate
> > name
> > and delete it via ADSI. But I cannot find instructions how to do it in
> > ADSI.
> > Thank you for any help on it.
>
>
>
Goto search options and clear the list of attributes -- this will return all
attribute values. You will see that both these objects have the SPN in
question registered on them. You'll need to clear up one of these values.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Falcon" <Falcon@discussions.microsoft.com> wrote in message
news:079D90C7-D746-4A11-A4E0-2A6362420DF1@microsoft.com...
> when I search for duplicate name via ldp I get this output:
>
>
> ***Searching...
> ldap_search_s(ld, "DC=MyDomain,DC=local", 2,
> "serviceprincipalname=HOST/sr1.mydomain.local", attrList, 0, &msg)
> Result <0>: (null)
> Matched DNs:
> Getting 2 entries:
> >> Dn: CN=Administrator,CN=Users,DC=MyDomain,DC=local
> 4> objectClass: top; person; organizationalPerson; user;
> 1> cn: Administrator;
> 1> description: Built-in account for administering the computer/domain;
> 1> distinguishedName: CN=Administrator,CN=Users,DC=MyDomain,DC=local;
> 1> name: Administrator;
> 1> canonicalName: MyDomain.local/Users/Administrator;
> >> Dn: CN=sr1,OU=Domain Controllers,DC=MyDomain,DC=local
> 5> objectClass: top; person; organizationalPerson; user; computer;
> 1> cn: sr1;
> 1> distinguishedName: CN=sr1,OU=Domain Controllers,DC=MyDomain,DC=local;
> 1> name: sr1;
> 1> canonicalName: MyDomain.local/Domain Controllers/sr1;
>
> What would tell me that I have found it?
>
> Thanx
>
>
>
> "Chriss3 [MVP]" wrote:
>
> > You need to use LDAP to find it.
> > Have a look at the follow KB:
> > http://support.microsoft.com/default...;EN-US;Q305971
> >
> > --
> > Regards
> > Christoffer Andersson
> > Microsoft MVP - Directory Services
> >
> > No email replies please - reply in the newsgroup
> > ------------------------------------------------
> > http://www.chrisse.se - Active Directory Tips
> >
> > "Falcon" <Falcon@discussions.microsoft.com> skrev i meddelandet
> > news:AB9C32F8-EB95-4317-9FB2-63545AE10C3A@microsoft.com...
> > > There are multiple accounts with name host/gt.gatortechnologies.local
of
> > > type
> > > DS_SERVICE_PRINCIPAL_NAME - I was told that I need to find the
duplicate
> > > name
> > > and delete it via ADSI. But I cannot find instructions how to do it in
> > > ADSI.
> > > Thank you for any help on it.
> >
> >
> >
Sorry to piggyback on an old query, but I have a similar issue:
The eventlog entry on a site DC reports :
There are multiple accounts with name cifs/IMT213949 of type DS_SERVICE_PRINCIPAL_NAME.
Using LDP.exe I can only find one host using the search filter
(serviceprincipalname=*/IMT213949*)
...which has the attribute
2> servicePrincipalName: HOST/IMT213949; HOST/IMT213949.x.lhp.nhs.uk;
- no sign of a value CIFS/
Using the search filter (serviceprincipalname=cifs/*) does not yield any entries at all, across my entire forest.
ADSIedit reveals the same information about the host in question - not very helpful
Do you clever gents have any cunning ideas please ?
cheers
Nick
Hi,
To view the account that have the same spn, use adfind from joeware like this:
adfind -default -f "(servicePrincipalName=cifs/imt213949)" -dn
After this, navigate within adsiedit to each user account you previously
find as having a duplicate SPN registration, scroll through the list of
attributes until you see servicePrincipalName and remove the duplicate SPN
registration.
--
Have a nice day!
Masterplan - MCSE,MCITP-EA
http://winmasterplan.blogspot.com
"Uncle_Nick" wrote:
>
> Sorry to piggyback on an old query, but I have a similar issue:
>
> The eventlog entry on a site DC reports :
> there are multiple accounts with name cifs/imt213949 of type
> ds_service_principal_name.
>
> Using LDP.exe I can only find one host using the search filter
> (serviceprincipalname=*/imt213949*)
> ...which has the attribute
> 2> serviceprincipalname: host/imt213949; host/imt213949.x.lhp.nhs.uk;
> - no sign of a value CIFS/
>
> Using the search filter (serviceprincipalname=cifs/*) does not yield
> any entries at all, across my entire forest.
>
> ADSIedit reveals the same information about the host in question - not
> very helpful
>
> Do you clever gents have any cunning ideas please ?
>
> cheers
> Nick
>
>
> --
> Uncle_Nick
> ------------------------------------------------------------------------
> Uncle_Nick's Profile: http://forums.techarena.in/members/uncle_nick.htm
> View this thread: http://forums.techarena.in/active-directory/64843.htm
>
> http://forums.techarena.in
>
>
The first thing to know about an SPN of this type is that many Kerb SPN
service types actually map to the alias server type HOST. This basically
means that if a client attempts to get a service ticket for cifs/xxx (a file
share) and it cannot find an SPN registered called "cifs/xxxx", it can look
for an SPN called "HOST/xxxx" and if it finds a match for that, it can still
get the ticket and will request it issued for the security principal that
has that SPN registered. Windows users this to make SPN management easier
since there are a whole bunch of services that typically only run under the
machine context ever that can all accept Kerb and having individual SPNs for
each service type would result in serious bloat and management overhead.
That said, the first thing worth noting is that you should be able to search
via an exact match (which should make your queries much more efficient).
Thus, to find the duplicate, you should be able to:
Search using the GC (not the normal LDAP port)
Set search base to null and scope to subtree
Filter should be (|(servicePrincipalName=cifs/imt213949)(host/imt213949))
Note that the query filter is not case sensitive as SPNs are not and in the
case of LDAP, the actual servicePrincipalName attribute is not case
sensitive either. Also note that since you already searched for a cifs/xxxx
SPN and didn't find one (which is expected since the HOST alias is used for
this by default), you don't really need the additional clause in the filter
above. It is just there for completeness.
If that query does not find two matches, then something very weird is going
on. I'm basically hoping that your query with LDP.exe for
(serviceprincipalname=*/imt213949*) failed because you forgot to search the
GC or didn't use the right search base or scope and missed something in
another domain or container. Good explanations otherwise may be hard to
come by. :)
HTH!
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Uncle_Nick" <Uncle_Nick.3nr7fb@DoNotSpam.com> wrote in message
news:Uncle_Nick.3nr7fb@DoNotSpam.com...
>
> Sorry to piggyback on an old query, but I have a similar issue:
>
> The eventlog entry on a site DC reports :
> there are multiple accounts with name cifs/imt213949 of type
> ds_service_principal_name.
>
> Using LDP.exe I can only find one host using the search filter
> (serviceprincipalname=*/imt213949*)
> ..which has the attribute
> 2> serviceprincipalname: host/imt213949; host/imt213949.x.lhp.nhs.uk;
> - no sign of a value CIFS/
>
> Using the search filter (serviceprincipalname=cifs/*) does not yield
> any entries at all, across my entire forest.
>
> ADSIedit reveals the same information about the host in question - not
> very helpful
>
> Do you clever gents have any cunning ideas please ?
>
> cheers
> Nick
>
>
> --
> Uncle_Nick
> ------------------------------------------------------------------------
> Uncle_Nick's Profile: http://forums.techarena.in/members/uncle_nick.htm
> View this thread: http://forums.techarena.in/active-directory/64843.htm
>
> http://forums.techarena.in
>
MasterPlan, Joe - many thanks for your responses
Joe - cheers for the elucidation regarding aliasing cifs to Host... that clears up one thing, anyway
MasterPlan - unfortunately the delightful ADFind was no more successful, returning just 1 object.
I am aware of the benefits of sending LDAP queries to 3268, having just dealt with Voip not looking up users on 389... but I had also tried several defined searchbases as well as null, just in case.
Wildcarding the search was also done in desperation to see if I could find more than one match.
Unfortunately, I still only ever retrieve a single object....
Given that the spn attribute has 2 Host entries, for local and domain, could that be the cause of my error ?
Since attempt to get a service ticket for spn "cifs/imt213949" will presumably return both "Host/imt213949" values, will the 2 generated cifs versions cause the eventlog error ?
I would be delighted to hear further from either of you
regards
Nick
So, did you search the global catalog (port 3268) or not? If you did not
and you have more than one domain, then you have not searched forest wide
yet. It may be the case that the duplicate is in another domain in the
forest.
The two SPNs, one with the NetBIOS name and the other with the DNS name, are
different values and do not constitute a duplicate. The client will request
the SPN based on the host name used by the client. For a file share, if you
specify \\imt213949\someshare, the SPN used by the client would be
cifs/imt213949. The KDC would match this to a client with either the
cifs/imt213949 or host/213949 SPN set. It would not look at the DNS based
host name unless the client attempted to access the share based on the DNS
host name.
The key with duplicates is also that they have to be on different security
principals (users or computers) for there to be a problem. The service
ticket is encrypted with a key that only the security principal matching the
SPN has so only it can decrypt it. This is why you can't have duplicate
SPNs. If the KDC doesn't know which key to use to encrypt the ticket, it
cannot issue the ticket to the client. There are also cases that occur when
one account is selected and the ticket is presented by the client to the
service but the service cannot decrypt it because it was encrypted with a
different key, so the authentication fails.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Uncle_Nick" <Uncle_Nick.3nt4vc@DoNotSpam.com> wrote in message
news:Uncle_Nick.3nt4vc@DoNotSpam.com...
>
> MasterPlan, Joe - many thanks for your responses
> Joe - cheers for the elucidation regarding aliasing cifs to Host...
> that clears up one thing, anyway
> MasterPlan - unfortunately the delightful ADFind was no more
> successful, returning just 1 object.
>
> I am aware of the benefits of sending LDAP queries to 3268, having just
> dealt with Voip not looking up users on 389... but I had also tried
> several defined searchbases as well as null, just in case.
> Wildcarding the search was also done in desperation to see if I could
> find more than one match.
> Unfortunately, I still only ever retrieve a single object....
>
> Given that the spn attribute has 2 Host entries, for local and domain,
> could that be the cause of my error ?
> Since attempt to get a service ticket for spn "cifs/imt213949" will
> presumably return both "Host/imt213949" values, will the 2 generated
> cifs versions cause the eventlog error ?
>
> I would be delighted to hear further from either of you
> regards
> Nick
>
>
> --
> Uncle_Nick
> ------------------------------------------------------------------------
> Uncle_Nick's Profile: http://forums.techarena.in/members/uncle_nick.htm
> View this thread: http://forums.techarena.in/active-directory/64843.htm
>
> http://forums.techarena.in
>