Service Principal Name not unique

Discussion in 'Windows Small Business Server' started by Colin Strain, Jun 24, 2005.

  1. Colin Strain

    Colin Strain Guest

    Hi. We are getting two sets of occurrences of KDC event reporting that
    "there are multiple accoounts of name name/myserver.mydomain.local of type
    DS_SERVICE_PRINCIPAL_NAME. The two names are "host" and "cifs", and the
    context is "crow-road.CrowRoadConsulting.local". I believe this has occured
    because we are trialling MS CRM on the SBS 2003 SP1 server.

    LDP reports the following for host:
    5> objectClass: top; person; organizationalPerson; user; computer;
    1> cn: CROW-ROAD;
    1> distinguishedName: CN=CROW-ROAD,OU=Domain
    Controllers,DC=CrowRoadConsulting,DC=local;
    1> name: CROW-ROAD;
    1> canonicalName: CrowRoadConsulting.local/Domain Controllers/CROW-ROAD;4> objectClass: top; person; organizationalPerson; user;
    1> cn: Microsoft CRM;
    1> description: Service account of Microsoft CRM;
    1> distinguishedName: CN=Microsoft
    CRM,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=CrowRoadConsulting,DC=local;
    1> name: Microsoft CRM;
    1> canonicalName:
    CrowRoadConsulting.local/MyBusiness/Users/SBSUsers/Microsoft CRM;

    and similarly for cifs.

    Is this a problem, or not? If so, which entry should be changed, and e.g.
    to what to make them unique?

    Thank you for you suggestions.

    Colin Strain
     
    Colin Strain, Jun 24, 2005
    #1
    1. Advertisements

  2. Hi Colin,


    Thanks for posting in this newsgroup.

    According to your description, I understand that you encountered KDC error
    "there are multiple accounts of name name/myserver.mydomain.local of type
    DS_SERVICE_PRINCIPAL_NAME." when deploy CRM on SBS 2003. If I am off base,
    please let me know.

    Generally speaking, this error is caused by a duplicate SPN name on AD. The
    SPN that is reported as duplicate may be HOST/machine1.mydomain.com. This
    is because the CRM software changed the authentication settings of AD. The
    CRM will use the Kerberos instead of NTLM authentication. We can use ADSI
    tools to modify the AD settings to clean up the error on Windows 2003, but
    for a normal SBS server, only the computer account of the SBS server should
    be registered. We need to delete all the duplicate entry in AD to remove it
    from all non server objectives. But this might cause the CRM application
    issue. So if you can not start the CRM after removing the accounts, you
    might have to contact the CRM team for further assistance.

    As your convenience, I would like to give you some general information for
    this issue:

    MS CRM installation guide:

    http://www.microsoft.com/technet/prodtechnol/mscrm/mscrm1/plan/01_intro.mspx

    If you have any further concerns, it is your best interest to contact with
    local CSS, please refer to the following section for more detailed
    information:

    To obtain the phone numbers for specific technology request please take a
    look at the web site listed below.
    http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

    If you are outside the US please see http://support.microsoft.com for
    regional support phone numbers.

    I appreciate your understanding on this issue, if you have any further
    concerns, please do not hesitate to let me know. I am here waiting for your
    updates.

    Best regards,

    Charles Yang (MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Charles Yang [MSFT], Jun 27, 2005
    #2
    1. Advertisements

  3. Colin Strain

    trichroma1 Guest

    I've found a solution that involves Kerberos authentication for the CRM
    service account. Although the article referenced is intended for the IIS
    Service account with Sharepoint, you can change the duplicate SPN to HTTP
    rather than HOST on the CRM service account. This resolved the KDC errors
    and the CRM application ran with a slight speed improvement:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;832769

    Note that also we left the w3svc/NTAuthenticationProviders IIS metabase
    value at "not set". This means that Kerberos only will be used for Windows
    Authentication. NTLM should not be necessary, but there is additional
    information to enble it here:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;215383


     
    trichroma1, Sep 23, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.