There are multiple accounts with name %1 of type %2.

Details
Product: Windows Operating System
Event ID: 11
Source: KDC
Version: 5.2
Symbolic Name: KDCEVENT_NAME_NOT_UNIQUE
Message: There are multiple accounts with name %1 of type %2.
   
Explanation

Kerberos could not authenticate a principal name because the name was not configured correctly.

Possible causes include:

  • Client names are duplicated.
  • The service principal name (SPN) is duplicated.
   
User Action

To restore Kerberos authentication, remove the duplicate principal name. To find the duplicate, use either the Ldifde command or the LDP tool.

Using the Ldifde command, you can extract accounts for the domain, the suspected container, or the organizational unit OU), and then find the incorrectly configured principal name within the accounts.

To use the Ldifde utility to extract accounts

  1. On the domain controller, do one or both of the following:
    • For computer accounts, at the command prompt, typeldifde -f filename -d BaseDistinguishedName -r (objectclass=computer) -p subtree
    • For user accounts, at the command prompt, typeldifde -f filename -d BaseDistinguishedName -r
      (objectclass=user) -p subtree
  2. If the accounts that seem to have the duplicate SPNs are located in an OU, for example, Florida, refine the base distinguished name. For example, at the command prompt, type-d ou=sales,dc=tailspintoys,dc=com
  3. Open the text file in Notepad, and then search for the SPN that is reported in the security event log.
  4. Note the accounts under which the SPN is located.

To use the LDP tool, install it from the Support\Tools folder on your
Windows Server 2003 CD-ROM. For more information about running the LDP tool, see article 23064 in the
Microsoft Knowledge Base.

Related:

Leave a Reply