understanding error event 2974 (SPN stuff)

  • 237 Views
  • Last Post 27 June 2018
Mat.Collins posted this 26 June 2018

Hello everybody.

as I was searching through event viewer of my domain controllers, I noticed some error with event id 2974 which indicated duplicate SPN in my forest. I have a forest with multiple child domains. This is the event. I know it is related to duplicate SPNs but the problem is , I do not understant the event itself... Take a look:

------------------------------------------------------------------------------------------------------------------------------

The attribute value provided is not unique in the forest or partition. Attribute: servicePrincipalName Value=MSSQLSvc/SCCM-SRV.Contoso.com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
Value=MSSQLSvc/SCCM-SRV.Contoso.com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com
CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com Winerror: 8647

------------------------------------------------------------------------------------------------------------------------------

so here are my questions:

  • it says "MSSQLSvc/SCCM-SRV.Contoso.com" is not unique? I do not understand why it says like that. My "DE" user is running different services on different servers, why it says it is not unique?
  • why there are 19 lines of "CN=DE,OU=Users,OU=Services,DC=Contoso,DC=com". does it means there are 19 duplicates?

Ok so if you are like me to believe that "DE" user is problematic, I went in to the the SPNs of that "DE" account. I have exported 'serviceprincipalnames' attribute look below:

------------------------------------------------------------------------------------------------------------------------------

MSSQLSvc/SCOM-SRV.Contoso.com:SCOM
MSSQLSvc/SCOM-SRV.Contoso.com:49581
MSSQLSvc/SCOM-SRV.Contoso.com:49759
MSSQLSvc/SCOM-SRV.Contoso.com:SCOMDW
MSSQLSvc/SCOM-SRV.Contoso.com:SCOMACS
MSSQLSvc/SCOM-SRV.Contoso.com:49989
MSSQLSvc/DPM-SRV.Contoso.com
MSSQLSvc/DPM-SRV.Contoso.com:1433
MSSQLSvc/BackUp-EXEC.Contoso.com:1433
MSSQLSvc/BackUp-EXEC.Contoso.com
MSSQLSvc/SCCM-SRV.Contoso.com:1433
MSSQLSvc/SCCM-SRV.Contoso.com
MSSQLSvc/DPM-3.Contoso.com:1433
MSSQLSvc/DPM-3.Contoso.com
MSSQLSvc/DPM-1.Contoso.com:1433
MSSQLSvc/DPM-1.Contoso.com
MSSQLSvc/SharePoint.Contoso.com
MSSQLSvc/SharePoint.Contoso.com:1433
MSSQLSvc/BackUp-EXEC.Contoso.com:49840
MSSQLSvc/BackUp-EXEC.Contoso.com:BACKUPEXEC
MSSQLSvc/SCCM-2.Contoso.com
MSSQLSvc/SCCM-2.Contoso.com:1433
MSSQLSvc/BackupExec2015.Contoso.com:BACKUPEXEC
MSSQLSvc/BackupExec2015.Contoso.com:49598
MSSQLSvc/SCCM-3.Contoso.com:1433
MSSQLSvc/SCCM-3.Contoso.com
MSSQLSvc/SCOM-SRV.Contoso.com:49843
MSSQLSvc/SCOM-SRV.Contoso.com:49725
MSSQLSvc/SCOM-SRV.Contoso.com:49362
MSSQLSvc/Spotlight.Contoso.com:1433
MSSQLSvc/Spotlight.Contoso.com
MSSQLSvc/PRTG.Contoso.com:56445
MSSQLSvc/PRTG.Contoso.com:SPOTLIGHT
MSSQLSvc/SCOM-SRV.Contoso.com:53550
MSSQLSvc/DPM-SRV.Contoso.com:52166
MSSQLSvc/DPM-SRV.Contoso.com:SCDPM
MSSQLSvc/SCOM-SRV.Contoso.com:53652
MSSQLSvc/SCOM-SRV.Contoso.com:53102
MSSQLSvc/SCOM-2.Contoso.com:57092
MSSQLSvc/SCOM-2.Contoso.com:SCOM
MSSQLSvc/PRTG.Contoso.com:1433
MSSQLSvc/PRTG.Contoso.com

------------------------------------------------------------------------------------------------------------------------------

 

That's it. Just to mention, there is no problem in our environment, but I am not that kinda guy who simply ignore events. Even if it cause no problem, help me to understand this. That is why I am sticking to this event...

 

Thanks.

 

Order By: Standard | Newest | Votes
ken posted this 26 June 2018

Use setspn.exe with the -X / -F switches to see if this SPN is registered under another account elsewhere in your forest.

 

show

Mat.Collins posted this 27 June 2018

got it. removed the duplicates, still no issues reported. but some questions i cannot find the answer:

  • why duplicate spns can lead to problem? if kerberos can find the pcname for the service, it can query the service name, I do not understand why it is problem?
  • also, is many cases, users install the service themselves. simple users who has no permission for writing on 'serviceprincipalnames' attribute of the computer account. assuming there is no permission, how 'service principalnames' is populated? take 'backupexec' as an example. they installed using simple user accounts, how serviceprincipalnames was populated on the computer account in AD when user has no write permission?

thx

ken posted this 27 June 2018

When I connect to http://yourIntranetWebsite.yourcompany.com , I will try to get a service ticket from the KDC. The KDC needs to be able to encrypt part of that service ticket with a shared secret

that only the webserver knows.


If the SPN is registered under two different accounts, which shared secret is the KDC supposed to use?

 

I can’t answer the second question. Perhaps it was registered under the context of the computer account itself?

 

show

kool posted this 27 June 2018

Yeah Ken, I think you are right. If the service is running as a system account (SYSTEM, NETWORK SERVICE, etc), then the service itself would have permission to write to the computer object.

 

    Eric

 

show

kurtbuff posted this 27 June 2018

Take a look at this article:
https://blogs.technet.microsoft.com/389thoughts/2017/02/08/why-you-can-still-have-duplicate-spns-in-ad-2012-r2-and-ad-2016/
Follow the links, too - it's very useful.
Kurt


show

Close