Windows 2000 Server Prompts Domain User for Credentials (305971)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Professional SP2
This article was previously published under Q305971

SYMPTOMS

When a domain user tries to connect to a Windows 2000-based server that is a member of the same domain, the user may be prompted for credentials before being granted access.

You may also receive the following event in the event log:

Event Type:Error
Event Source:KDC
Event Category:None
Event ID:11
Description: There are multiple accounts with name host/SERVERNAME.microsoft.com of type10

CAUSE

This behavior can be caused by a duplicate SPN (ServicePrincipalName) value in the Active Directory tree.

RESOLUTION

NOTE: Only experienced administrators should consider using the Ldp.exe and Adsiedit.msc tools that are called for in the following procedure.

To resolve this behavior, use the Ldp.exe tool to determine the location of the duplicate SPN value, and then use the Adsiedit.msc tool to remove the duplicate SPN value. Follow these steps on a Windows 2000-based domain controller:
  1. Click Start, and then click Run.
  2. Type ldp, and then click OK.
  3. Click Connection, click Connect, and then click OK. Leave the Server box blank.
  4. Click Connection, click Bind, and then click OK. Leave all fields blank.
  5. Click View, click Tree, and then click OK. Leave the BaseDN window blank.
  6. Click Browse, and then click Search.
  7. Set the BaseDN as DC=Home and DC=com, separated by a comma. For example, if the FQDN name of the domain is Mydomain.com, type DC=Mydomain,DC=com.
  8. Set the filter to the following:

    serviceprincipalname=Host/computername.home.com

    For example, if the relevant computer is named Computer1 and the domain name is Mydomain.com, type the following:

    serviceprincipalname=Host/Computer1.Mydomain.com

  9. Set Scope to Subtree, and then click Run.
  10. After you locate the duplicate SPN, you can use the Adsiedit.msc tool to go to the object, view the duplicate SPN value, and remove the duplicate SPN value.
  11. Move the server from the domain to a workgroup, delete the server's computer account from the domain, and then join the server to the domain again, using the same computer account.

MORE INFORMATION

Adsiedit.msc is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Windows 2000 Active Directory. You can use Adsiedit.msc to add, delete, and move objects within the directory services and to view, change, and delete the attributes of each object. Adsiedit.msc and Ldp.exe are included on the Windows 2000 installation CD. You can install these tools from the CD in Support\Tools\Setup.exe.

Only experienced administrators should use these tools because removing the wrong entries in either Ldp.exe or Adsiedit.msc can require reinstallation of the computer.

For additional information about installing these tools, click the article number below to view the article in the Microsoft Knowledge Base:

301423 How to Install the Windows 2000 Support Tools

Modification Type:MajorLast Reviewed:11/20/2003
Keywords:kbenv kbnetwork kbprb KB305971
©2003 Microsoft Corporation. All rights reserved.