Export (0) Print
Expand All
Expand Minimize

AD DS: This Service Principal Name is registered on multiple accounts

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

 

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Error

Category

Configuration

This service principal name (SPN) that is trusted for delegation is registered on multiple service accounts.

SPNs are used to locate the service account. Duplicate SPNs cause the Key Distribution Center (KDC) to return a failure because it cannot determine which account the client is connecting to. As a result, duplicate SPNs cause Kerberos authentication failures.

Delete the SPN that is registered to the wrong account. Run the Setspn tool on your forest to ensure there are no duplicate SPNs for services.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477). For information about delegating the permissions to modify SPNs, see the “Delegating Authority to Modify SPNs” section in Setspn (http://go.microsoft.com/fwlink/?LinkID=143939).

  1. Log on to an administrative workstation that has Active Directory Domain Services Tools installed, and then open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    setspn –D <SPN> <AccountName>
    

    For example, to delete the SPN MSSQLSvc/host.contoso.com:1433 from the managed service account sqlserviceaccount, type the following command, and then press ENTER:

    setspn -D MSSQLSvc/host.contoso.com:1433 sqlserviceaccount
    

  1. Log on to an administrative workstation that has Active Directory Domain Services Tools installed, and then open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    setspn –X -F
    
    noteNote
    Searching for duplicate SPNs across a forest can take a long time and a large amount of memory.

Setspn (http://go.microsoft.com/fwlink/?LinkID=143939)

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft