[cisco-voip] KDC Event ID:11 from Unity servers

Keith Chiang kchiang at fidelus.com
Fri Feb 13 13:16:24 EST 2009 

Thanks Pat.  So at this point which SPN I need to remove?  And other than clear the KDC issue, would there be other impact to the Unity server if I remove the SPN from on the Unity server?



-----Original Message-----
From: Pat Hayes [mailto:pat-cv at wcyv.com]
Sent: Friday, February 13, 2009 12:09 PM
To: Keith Chiang
Cc: cisco-voip at puck.nether.net
Subject: Re: [cisco-voip] KDC Event ID:11 from Unity servers

That can happen if you initially install SQL to run as LocalSystem
(which creates the SPN on the computer object) and later change it to
run as a service account (needed if you have Unity failover). For
impact, it typically keeps you from being able to access the remote
server from Enterprise Manager (you get 'cannot generate sspi
context'), and sometimes it can cause SQL replication to fail
(assuming failover).

To clean it up, you're going to need to use the setspn tool to remove
the duplicate. Assuming SQL is running as a service account, you're
going to want to remove the one from the computer object.

On Fri, Feb 13, 2009 at 9:20 AM, Keith Chiang <kchiang at fidelus.com> wrote:
> Anyone seen this message before?
>
> There are multiple accounts with name MSSQLSvc/serverA.domain.com:1433 of
> type DS_SERVICE_PRINCIPAL_NAME.
>
> I found some info in MS website - http://support.microsoft.com/kb/321044
>
> I have also found the duplicate SPNs in my 2 Unity servers -
>
>
>
> dn: CN=UnityInstall,CN=Users,DC=domain,DC=com
>
> changetype: add
>
> servicePrincipalName: MSSQLSvc/NYUNITY01.domain.com:1433
>
> servicePrincipalName: MSSQLSvc/NYUNITY02.domain.com:1433
>
>
>
> dn: CN=NYUNITY02,CN=Computers,DC=domain,DC=com
>
> changetype: add
>
> servicePrincipalName: CUSESSIONKEYSVR/NYUNITY02
>
> servicePrincipalName: MSSQLSvc/NYUNITY02.domain.com:1433
>
> servicePrincipalName: SMTPSVC/NYUNITY02
>
> servicePrincipalName: SMTPSVC/NYUNITY02.domain.com
>
> servicePrincipalName: HOST/NYUNITY02
>
> servicePrincipalName: HOST/NYUNITY02.domain.com
>
>
>
> Anyone knows what ramifications this error may affect Unity servers
> functionality?  I am not comfortable with the resolution provided by MS
> website.  Any advice?
>
> Thanks in advance.
>
>
>
>
>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>
>

More information about the cisco-voip mailing list