Event ID 11 - Kerberos Could Not Authenticate a Principal Name Because the Name Was Not Configured Correctly
Applies to:
Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista, Windows 7
Details
Product: |
Windows Operating System |
Event ID: |
11 |
Source: |
KDC |
Version: |
5.2 |
Symbolic Name: |
KDCEVENT_NAME_NOT_UNIQUE |
Message: |
There are multiple accounts with name %1 of type %2. |
Explanation
Kerberos could not authenticate a principal name because the name was not configured correctly.
Possible causes include:
- Client names are duplicated.
- The service principal name (SPN) is duplicated.
User Action
To restore Kerberos authentication, remove the duplicate principal name. To find the duplicate, use either the Ldifde command or the LDP tool.
Using the Ldifde command, you can extract accounts for the domain, the suspected container, or the organizational unit OU), and then find the incorrectly configured principal name within the accounts.
To use the Ldifde utility to extract accounts
- On the domain controller, do one or both of the following:
- For computer accounts, at the command prompt, type
ldifde -f filename -d BaseDistinguishedName -r (objectclass=computer) -p subtree
- For user accounts, at the command prompt, type
ldifde -f filename -d BaseDistinguishedName -r (objectclass=user) -p subtree
If the accounts that seem to have the duplicate SPNs are located in an OU, for example, Florida, refine the base distinguished name. For example, at the command prompt, type -d ou=sales,dc=tailspintoys,dc=com
Open the text file in Notepad, and then search for the SPN that is reported in the security event log.Note the accounts under which the SPN is located.
To use the LDP tool, install it from the Support\Tools folder on your Windows Server 2003 CD-ROM. For more information about running the LDP tool, see article KB 23064 in the Microsoft Knowledge Base.