Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

KDC error 11 : SPN problem

4 views
Skip to first unread message

François Miermont

unread,
Feb 23, 2005, 10:17:09 AM2/23/05
to
Hi,

I've just successfuly installed MSCRM 1.2 in my domain. I have two servers,
the both with Windows 2003 :
-the first is the DC, with Exchange 2003, and CRM Router (name : anderson)
-the second is a dedicated server to the CRM : it just have SQL Server 2000
and CRM 1.2 installed. SQL Server is just for the CRM (name : dozer).

All the specific services for CRM, on the both server, are launched with a
dedicated domaine user : CRMUser. This user have no specific right.
The installation is successfull : my CRM works fine. The local url to
access to the CRM is http://mscrm. Just have to open IE, type the url, and
the CRM will launch, without having to give my password (my user is register
on the CRM).

But now, I have a KDC error, IDEvent 11, logged on my DC :
There are multiple accounts with name host/dozer.mydomain.com of type
DS_SERVICE_PRINCIPAL_NAME. After some research, I found that this problem
occured when many objects use the same SPN (in this case, the SPN is
host/dozer.mydomain.com).

Using ldp.exe, I found two objects with this SPN :
-the CRM server, dozer
-the user account CRMUser.

I tried to remove the SPN on the both :
-when I removed it on CRM Server, CRM crashes, and the computer is unable to
lg to the domain.
-when I removed it on CRMUser, KDC error stop. The CRM server reports no
problem.

But in this case, I'm unable to launch the CRM on my local computer. When I
want to access to http://mscrm, it prompt a user/pass. Even if I give the
correct user/pass, it didnt work (access denied).

Any help would be welcome !

PS: sorry for my poor English ;)

François Miermont

unread,
Feb 23, 2005, 12:29:03 PM2/23/05
to
Finaly I found the solution here :
http://support.microsoft.com/default.aspx?scid=kb;en-us;871179

Seems to work fine !

FriendOfCRM

unread,
Feb 24, 2005, 5:16:58 AM2/24/05
to
Hi!
I would be so greatful if you could please specify in more detail
exactly how you solved this problem, since I seem to be in the exact
same situation.
Which duplicate of the SPN did you remove? The one on the user account?
And did you follow the instructions in the MS link you provided right
after this?
Could you also please specify which commands you gave the setspn.exe?
No troubles experienced afterwards?
I'm trying to solve this problem in our production environment, and of
course don't want to mess up the application or the Admin account used
with CRM....

Regards /J

François Miermont

unread,
Feb 24, 2005, 5:59:02 AM2/24/05
to
Ok, here is a more detailled solution :

First of all, you have to remove the duplicate SPN (in my case, it's
host/dozer.mydomain.com => the FQDN of your CRM Server).
To find which obect have this SPN, you shoul use ldp.exe on your DC
(anderson in my case) :
start/run ldp.exe

Then click Connection, and Connect...
Leave the Server empty, check that port is 389 and clear the checkboxes.
CLick Ok.
Click connection again, and Bind...
Leave all the fileds empty, and click Ok.
You should have "Authenticated as dn:'NULL'."

Now, click Browse, and Search...
Base DN : DC=mydomain,DC=com (you should replace with your domain name)
Filter : (servicePrincipalName=host/dozer.mydomain.com) (with the '(' and
')', and replace dozer.mydomain.com with the FQDN of your CRM Server).

Scope : Select Subtree

Click options : in the attributes field, add "servicePrincipalName;" at the
end (without the "").
Click Ok.
Click Ok again on the Search Window.

You should have a result like this (supposing that CRMUser is on on the
default user's OU : Users, and Dozer in on the default computer's OU :
Computers) :
Getting 2 entries :
>> Dn: CN=CRMUser,CN=Users,DC=mydomain,DC=com
4> objectClass: top; person; organizationalPerson; user;
1> cn: CRMUser;
1> distinguishedName: CN=CRMUser,CN=Users,DC=mydomain,DC=com;
1> name: CRMUser;
2> servicePrincipalName: host/dozer.mydomain.com; HOST/DOZER;
1> canonicalName: domain.com/Users/CRMUser;
>> Dn: CN=DOZER,CN=Computers,DC=mydomain,DC=com
5> objectClass: top; person; organizationalPerson; user; computer;
1> cn: DOZER
1> distinguishedName: CN=DOZER,CN=Computers,DC=mydomain,DC=com;
1> name: DOZER;
2> servicePrincipalName: host/dozer.mydomain.com; HOST/DOZER;
1> canonicalName: domain.com/Computers/Dozer;
------

The first Dn correspond to the User that you use to launch the CRM services.
The second Dn correspond to your CRM Server.

Now, you have to remove the SPN host/dozer.mydomain.com to your CRM User
(not the CRM Server, if you do that the Server should not be able to log in
into the domain).

To do that, you have to have the setspn utility on your DC. (if you don't
have it, you can install it from your Windows 2003 CD : directory
SUPPORT/TOOLS, you have SUPTOOLS.msi).
Now, open a command prompt, and execute this command :
setspn -D host/dozer.mydomain.com CRMUser


Okay, now the KDC error should stop.

Another problem then appears : you are not able to log in to your CRM
Website (IE gives you a 401.1 error).

See http://support.microsoft.com/default.aspx?scid=kb;en-us;871179 if you
want a detailled explication.

If your CRM Server just host the CRM Website, AND ONLY IF, you have to add 2
SPN to your CRM User. If not, see the Workaround section.

The 2 SPN are : http/dozer and http/dozer.mydomain.com

To add it, jsut do
setspn -a http/dozer CRMUser
and
setspn -a http/dozer.mydomain.com CRMUser

Now, you should be able to log in again to your CRM Website.

Hope this could be helpfull :)

François Miermont

unread,
Feb 28, 2005, 5:37:01 AM2/28/05
to
I think it will be great if you could post if this solution help you ;)

Dave Healey

unread,
Mar 6, 2005, 4:51:03 PM3/6/05
to
Hi François,

Just wanted to let you know that this solution worked perfectly for me.
Thanks for sharing it.

Regards,
Dave

0 new messages