Article ID: 305971
When a domain user tries to connect to a Windows 2000-based server that is a member of the same domain, the user may be prompted for credentials before being granted access.
You may also receive the following event in the event log:
Description: There are multiple accounts with name host/SERVERNAME.microsoft.com of type10
This behavior can be caused by a duplicate SPN (ServicePrincipalName) value in the Active Directory tree.
NOTE: Only experienced administrators should consider using the Ldp.exe and Adsiedit.msc tools that are called for in the following procedure.
To resolve this behavior, use the Ldp.exe tool to determine the location of the duplicate SPN value, and then use the Adsiedit.msc tool to remove the duplicate SPN value. Follow these steps on a Windows 2000-based domain controller:
Adsiedit.msc is a Microsoft Management Console (MMC) snap-in that acts as a low-level editor for Windows 2000 Active Directory. You can use Adsiedit.msc to add, delete, and move objects within the directory services and to view, change, and delete the attributes of each object. Adsiedit.msc and Ldp.exe are included on the Windows 2000 installation CD. You can install these tools from the CD in Support\Tools\Setup.exe.
Only experienced administrators should use these tools because removing the wrong entries in either Ldp.exe or Adsiedit.msc can require reinstallation of the computer.
For additional information about installing these tools, click the article number below to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/301423/EN-US/ )How to Install the Windows 2000 Support Tools