[cisco-voip] KDC Event ID:11 from Unity servers

Pat Hayes pat-cv at wcyv.com
Fri Feb 13 16:28:23 EST 2009 

I think both of those were answered:

which SPN to remove:

> Assuming SQL is running as a service account, you're
> going to want to remove the one from the computer object.

impact:

>  For
> impact, it typically keeps you from being able to access the remote
> server from Enterprise Manager (you get 'cannot generate sspi
> context'), and sometimes it can cause SQL replication to fail
> (assuming failover).

On Fri, Feb 13, 2009 at 1:16 PM, Keith Chiang <kchiang at fidelus.com> wrote:
> Thanks Pat.  So at this point which SPN I need to remove?  And other than clear the KDC issue, would there be other impact to the Unity server if I remove the SPN from on the Unity server?
>
>
>
> -----Original Message-----
> From: Pat Hayes [mailto:pat-cv at wcyv.com]
> Sent: Friday, February 13, 2009 12:09 PM
> To: Keith Chiang
> Cc: cisco-voip at puck.nether.net
> Subject: Re: [cisco-voip] KDC Event ID:11 from Unity servers
>
> That can happen if you initially install SQL to run as LocalSystem
> (which creates the SPN on the computer object) and later change it to
> run as a service account (needed if you have Unity failover). For
> impact, it typically keeps you from being able to access the remote
> server from Enterprise Manager (you get 'cannot generate sspi
> context'), and sometimes it can cause SQL replication to fail
> (assuming failover).
>
> To clean it up, you're going to need to use the setspn tool to remove
> the duplicate. Assuming SQL is running as a service account, you're
> going to want to remove the one from the computer object.
>
> On Fri, Feb 13, 2009 at 9:20 AM, Keith Chiang <kchiang at fidelus.com> wrote:
>> Anyone seen this message before?
>>
>> There are multiple accounts with name MSSQLSvc/serverA.domain.com:1433 of
>> type DS_SERVICE_PRINCIPAL_NAME.
>>
>> I found some info in MS website - http://support.microsoft.com/kb/321044
>>
>> I have also found the duplicate SPNs in my 2 Unity servers -
>>
>>
>>
>> dn: CN=UnityInstall,CN=Users,DC=domain,DC=com
>>
>> changetype: add
>>
>> servicePrincipalName: MSSQLSvc/NYUNITY01.domain.com:1433
>>
>> servicePrincipalName: MSSQLSvc/NYUNITY02.domain.com:1433
>>
>>
>>
>> dn: CN=NYUNITY02,CN=Computers,DC=domain,DC=com
>>
>> changetype: add
>>
>> servicePrincipalName: CUSESSIONKEYSVR/NYUNITY02
>>
>> servicePrincipalName: MSSQLSvc/NYUNITY02.domain.com:1433
>>
>> servicePrincipalName: SMTPSVC/NYUNITY02
>>
>> servicePrincipalName: SMTPSVC/NYUNITY02.domain.com
>>
>> servicePrincipalName: HOST/NYUNITY02
>>
>> servicePrincipalName: HOST/NYUNITY02.domain.com
>>
>>
>>
>> Anyone knows what ramifications this error may affect Unity servers
>> functionality?  I am not comfortable with the resolution provided by MS
>> website.  Any advice?
>>
>> Thanks in advance.
>>
>>
>>
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
> _______________________________________________
> cisco-voip mailing list
> cisco-voip at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-voip
>

More information about the cisco-voip mailing list