AD DS: This Service Principal Name is registered on multiple accounts

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Error

Category

Configuration

Issue

This service principal name (SPN) that is trusted for delegation is registered on multiple service accounts.

Impact

SPNs are used to locate the service account. Duplicate SPNs cause the Key Distribution Center (KDC) to return a failure because it cannot determine which account the client is connecting to. As a result, duplicate SPNs cause Kerberos authentication failures.

Resolution

Delete the SPN that is registered to the wrong account. Run the Setspn tool on your forest to ensure there are no duplicate SPNs for services.

Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477). For information about delegating the permissions to modify SPNs, see the “Delegating Authority to Modify SPNs” section in Setspn (https://go.microsoft.com/fwlink/?LinkID=143939).

To delete an SPN

  1. Log on to an administrative workstation that has Active Directory Domain Services Tools installed, and then open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    setspn –D <SPN> <AccountName>

    For example, to delete the SPN MSSQLSvc/host.contoso.com:1433 from the managed service account sqlserviceaccount, type the following command, and then press ENTER:

    setspn -D MSSQLSvc/host.contoso.com:1433 sqlserviceaccount

To search a forest for duplicate SPNs

  1. Log on to an administrative workstation that has Active Directory Domain Services Tools installed, and then open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    setspn –X -F

Note

Searching for duplicate SPNs across a forest can take a long time and a large amount of memory.

Additional references

Setspn (https://go.microsoft.com/fwlink/?LinkID=143939)