Command to find Duplicate SPN

By | April 17, 2015

Find Duplicate SPN: A Service Principal Name (SPN) is a concept from Kerberos. To find a particular service offered by a particular host within the domain. General Syntax of SPNs is service class/fqdn@REALM , There are also User Principal Names which identify users, in form of user@Domain

Kerberos requires that the SPN be unique and there should be a single SPN configured for a particular service with a service account on a computer object, some time we use to get the system Event 11, find the below example

“The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is <insert name here>. This may result in authentication failures or downgrades to NTLM. In order to prevent this from occurring remove the duplicate entries for <insert name here yet again> in Active Directory.” more

Command to find duplicate service principal name in active directory

csvde -f  C:\Temp\spn.csv -d ” dc=domain,dc=in” -r “(ServicePrincipalName=*computer_name*)” -l “cn”

Above command will return all the object which contain servername on ServicePrincipalName attribute on domain.in Domain

Finding the Duplicate SPN in Windows 2008 is very simple, yes we have an updated SETSPN command which has a –X and -Q switch and this can be used to find the Duplicate service principal name

setspn -X

Here are the new switches for SetSPN that ships with Windows 2008:

Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)

Switches:
-R = reset HOST ServicePrincipalName
Usage:   setspn -R computername
-A = add arbitrary SPN
Usage:   setspn -A SPN computername
-S = add arbitrary SPN after verifying no duplicates exist
Usage:   setspn -S SPN computername
-D = delete arbitrary SPN
Usage:   setspn -D SPN computername
-L = list registered SPNs
Usage:   setspn [-L] computername
-Q = query for existence of SPN
Usage:   setspn -Q SPN
-X = search for duplicate SPNs
Usage:   setspn -X

The Q switch is really the nice feature here.  This allows you to see if an SPN is already out on your domain.  You could also combine this with the F modifier to look through the whole forest.

C:\>setspn -q MSSQLSvc/computer_name:1433

No such SPN found.

C:\>setspn -q MSSQLSvc/computer_name.mydomain.com:1433
CN=MYMACHINE,OU=Workstations,DC=mydomain,DC=com
MSSQLSvc/mymachine.mydomain.com:1433
HOST/MYMACHINE
HOST/MYMACHINE.MYDOMAIN.COM

Existing SPN found!

For more info https://technet.microsoft.com/en-us/library/cc733945(v=ws.10).aspx

One thought on “Command to find Duplicate SPN

Leave a Reply

Your email address will not be published. Required fields are marked *