none
SPN Issue

    Question

  • I'm getting an error on a server of mine. I've looked at the following web page but I'm stuck on what I should do.

    http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

    Anyway,

    I have a new SCCM 2012 server and I get the following error every 5 minutes.

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          9/30/2013 2:36:28 PM
    Event ID:      3
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      BNCSCCM.na.int-bn.com
    Description:
    The description for Event ID 3 from source Microsoft-Windows-Security-Kerberos cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    18:36:29.0000 9/30/2013 Z
    0x7
     KDC_ERR_S_PRINCIPAL_UNKNOWN
    0xc0000035 KLIN(0)
    NA.INT-BN.COM
    MSSQLSvc/bncsql02.na.int-bn.com:1433
    MSSQLSvc/bncsql02.na.int-bn.com:1433@NA.INT-BN.COM

    If I run an setspn -L on the sql server. (bncsql02) I see the record listed.

    No other server connecting to the sql server is getting this error. I'm not sure what setspn command I should do next?

    setspn -R bncsql02

    setspn -S bncsql02

    setspn -S bncsccm

    I hate to just run commands like this blindly as I'm sure bad things could happen.

    Any help would be appreciated.

    Thanks

    RS

    Monday, September 30, 2013 7:36 PM

All replies

  • Hi,

    What account do the SQL Server services run under?  Is it a domain account, or local machine account?  You can check via SSCM, or services.msc.

    If the account is a domain account, run: setspn -L mydomain\account

    You should see something like:

    MSSQLSvc/bncsql02.na.int-bn.com:1433

    MSSQLSvc/bncsql02.na.int-bn.com (if it's a named instance, which I suspect it's not, it'd be \instancename on the end of this).

    If you use the same account on multiple SQL Server's you'll have multiple SPN's listed.

    If the account is a local machine account, run: setspn -L computername

    If that error is showing the spn names correctly, the second one doesn't look right.  I would delete it using setspn -D MSSQLSvc/bncsql02.na.int-bn.com:1433@NA.INT-BN.COM.  The true SPN name will come from the setspn -L command.

    Once you've deleted the incorrect SPN(s), recreate it with:

    setspn -S MSSQLSvc/bncsql02.na.int-bn.com:1433

    setspn -S MSSQLSvc/bncsql02.na.int-bn.com

    Or, if the account the services are running under has enough permissions in AD, you could restart the SQL Server services and the account will auto-register the SPN.


    Thanks, Andrew


    Monday, September 30, 2013 8:02 PM
  • The sql services are running under local system accounts on bncsql02.

    The -L command shows.

    MSSQLSvc/bncsql02.na.int-bn.com:1433

    MSSQLSvc/bncsql02.na.int-bn.com

    So yes the error is showing a different entry. So to delete and recreate... Where or what server am I doing this from? The SCCM server that's throwing the error? I ask because if this info is in AD why is this server the only sql client server throwing the error? Is this also kept locally on a sql client and somehow that entry on my SCCM server became corrupt?

    Thanks

    R

    Tuesday, October 01, 2013 12:36 PM
  • You can delete the SPN's from any computer that has the setspn utility, as long as you have enough permissions in Active Directory to update SPN's (read/write ServicePrincipalNames is required)

    The SPN's registered against the computer account 'bncsql02'.  Presumably other SPN's are registered against other machine/domain accounts, that's why they're not erroring.

    The SPN's look okay based on the information you've provided... However, I've sat staring at SPN's before and though they were okay, deleted and recreated them, and it's fixed whatever was wrong.

    You could try running a remote query against bncsql02, like:

    select auth_scheme, * from sys.dm_exec_connections where session_id = @@spid

    What does the auth_scheme column say?

    If you check the SQL Server error log from when SQL Server was restarted, you should see a message about whether SQL Server was able to register the SPN's or not.  Did it succeed after last restart?  It should have under local system account.

    You could delete the SPN's and manually recreate them, or like I said previously, recycle SQL Server services via SSCM, and let SQL Server register them for you.


    Thanks, Andrew <a href="http://sqlsrvr.com/">My Blog...</a>

    Tuesday, October 01, 2013 1:06 PM
  • I tried running this command from the SCCM server (BNCSCCM). This is the server I'm receiving the error.

    >setspn -D MSSQLSvc/bncsql02.na.int-bn.com:1433@NA.INT-BN.COM

    And received the following: Missing parameter: accountname.

    Thanks

    R

    Tuesday, October 01, 2013 1:44 PM
  • you have to put the user/computer on the end of that, so:

    setspn -D MSSQLSvc/bncsql02.na.int-bn.com:1433@NA.INT-BN.COM bncsql02.na.int-bn.com


    Thanks, Andrew
    My blog...

    Tuesday, October 01, 2013 1:51 PM
  • If the format would be user/computer what user do I enter if its registered as local system on SQL?

    setspn -D MSSQLSvc/bncsql02.na.int-bn.com:1433@NA.INT-BN.COM <<user>>/bncsql02.na.int-bn.com

    I tried running as you sent to me but I got another error stating:

    FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525
    Unable to locate account bncsql02.na.int-bn.com

    Tuesday, October 01, 2013 2:03 PM
  • an SPN is registered against a user or computer.  You also de-register it from that user or computer.

    It should be:

    setspn -D MSSQLSvc/bncsql02.na.int-bn.com computer

    e.g

    setspn -D MSSQLSvc/bncsql02.na.int-bn.com bncsql02  

    you de-register it from what it was originally register against.  If the SPN's coming up when you do setspn -L bncsql02, then you use bncsql02


    Thanks, Andrew
    My blog...

    Tuesday, October 01, 2013 2:08 PM
  • C:\Users\spott>setspn -L bncsql02
    Registered ServicePrincipalNames for CN=BNCSQL02,OU=Servers,DC=na,DC=int-bn,DC=com:
            MSSQLSvc/BNCSQL02.na.int-bn.com:1433
            MSSQLSvc/BNCSQL02.na.int-bn.com
            WSMAN/BNCSQL02.na.int-bn.com
            WSMAN/BNCSQL02
            TERMSRV/BNCSQL02.na.int-bn.com
            TERMSRV/BNCSQL02
            RestrictedKrbHost/BNCSQL02
            HOST/BNCSQL02
            RestrictedKrbHost/BNCSQL02.na.int-bn.com
            HOST/BNCSQL02.na.int-bn.com

    I ran the following:

    setspn -D MSSQLSvc/BNCSQL02.na.int-bn.com bncsql02

    setspn -D MSSQLSvc/bncsql02.na.int-bn.com:1422 bncsql02

    At that point the two were gone from the list

            WSMAN/BNCSQL02.na.int-bn.com
            WSMAN/BNCSQL02
            TERMSRV/BNCSQL02.na.int-bn.com
            TERMSRV/BNCSQL02
            RestrictedKrbHost/BNCSQL02
            HOST/BNCSQL02
            RestrictedKrbHost/BNCSQL02.na.int-bn.com
            HOST/BNCSQL02.na.int-bn.com

    So I ran

    setspn -S MSSQLSvc/bncsql02.na.int-bn.com bncsql02

    worked.

    but, when I ran

    setspn -S MSSQLSvc/bncsql02.na.int-bn.com:1433 bncsql02

    I received a duplicate existed.

    C:\Users\spott>setspn -S MSSQLSvc/bncsql02.na.int-bn.com:1433 bncsql02
    Checking domain DC=na,DC=int-bn,DC=com
    CN=SCCMAdmin,CN=Users,DC=na,DC=int-bn,DC=com
            MSSQLSvc/bncsql02.na.int-bn.com:1433

    Duplicate SPN found, aborting operation!

    and then -L shows

            MSSQLSvc/BNCSQL02.na.int-bn.com
            WSMAN/BNCSQL02.na.int-bn.com
            WSMAN/BNCSQL02
            TERMSRV/BNCSQL02.na.int-bn.com
            TERMSRV/BNCSQL02
            RestrictedKrbHost/BNCSQL02
            HOST/BNCSQL02
            RestrictedKrbHost/BNCSQL02.na.int-bn.com
            HOST/BNCSQL02.na.int-bn.com

    While the error has gone away I cannot connect to site database...

    Friday, October 11, 2013 8:25 PM
  • your second delete spn command says port 1422.  Is that a typo, or did you actually run that command? 

    Thanks, Andrew
    My blog...

    Friday, October 11, 2013 9:21 PM
  • Typo...

    Here's the current error in event log.

    Log Name:      System
    Source:        Microsoft-Windows-Security-Kerberos
    Date:          10/14/2013 7:39:30 AM
    Event ID:      4
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      BNCSCCM.na.int-bn.com
    Description:
    The description for Event ID 4 from source Microsoft-Windows-Security-Kerberos cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

    If the event originated on another computer, the display information had to be saved with the event.

    The following information was included with the event:

    bncsql02$
    NA.INT-BN.COM
    MSSQLSvc/bncsql02.na.int-bn.com:1433
    NA.INT-BN.COM

    Monday, October 14, 2013 1:06 PM
  • A duplicate server? Nope.
    Monday, October 14, 2013 2:50 PM