Event ID - 11

Event Id11
SourceMicrosoft-Windows-Kerberos-Key-Distribution-Center
DescriptionThe KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is %1 (of type %2). This may result in authentication failures or downgrades to NTLM. In order to prevent this from occuring remove the duplicate entries for %1 in Active Directory.
Event Information According to Microsoft :

Cause :

This event is logged when the KDC encountered duplicate names while processing a Kerberos authentication request.

Resolution :

Remove the duplicate service prinicipal name

Each service principal name (SPN) must be unique. Without unique principal names, the Kerberos client is not able to ensure that the server it is communicating with is the correct one. You must identify the duplicate SPN, and then remove it.

To perform these procedures, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.

Identify the duplicate SPN

To identify the duplicate SPN:
  1. Log on to the computer referenced in the event log message. If this computer is not running Windows Server 2008, you must download and install the Windows Server 2003 Resource Kit, which includes setspn.exe.
  2. Click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue .
  4. Type setspn -X .
  5. The output of this command will show the duplicate SPNs.
  6. Use the following procedure to remove one of the duplicate SPNs.
Remove an SPN

To remove an SPN:
  1. Click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue .
  3. Type setspn -D , where SPN is the name of the duplicate SPN and computer_name is the name of the computer that is assigned the duplicate SPN.
Verify :

To perform this procedure, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.
To verify that the service principal name (SPN) was configured correctly:
  1. Log on to a domain controller.
  2. Click Start , point to All Programs , click Accessories , right-click Command Prompt , and then click Run as administrator .
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue .
  4. Type setspn -L , where computer_name is the name of the computer referenced in the event log message.
  5. The output of this command will show the SPN configured for this computer.
  6. If there are no duplicate entries, the SPNs are configured correctly.
Reference LinksEvent ID 11 from Microsoft-Windows-Kerberos-Key-Distribution-Center

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.