I was just talking with
Craig about a Kerberos problem he's having, and one of the possibilities that came up was that he might have a duplicate service principal name registered for a web server. I hacked up a little app to help him find if he's got any duplicate SPNs registered; you might also find this useful.
Here's what an entry in the listing will normally look like. The SPN is listed first, followed by the user account onto which it maps. I sort the output by SPN to make it a bit more readable:
PayrollSystem/MAIN --> CN=BtsUser,CN=Users,DC=nwm,DC=local
When you have a duplicate SPN, I'll call it out. This example shows the PayrollSystem/MAIN SPN has been mapped onto two different domain accounts, which means anyone who tries to authenticate with it using Kerb will fail.
PayrollSystem/MAIN --> CN=BtsUser,CN=Users,DC=nwm,DC=local
PayrollSystem/MAIN --DUPLICATE--> CN=Alice Wu,CN=Employees,DC=nwm,DC=local
To fix this, you'd run the following command to remove the erroneous SPN mapping to Alice:
setspn -D PayrollSystem/MAIN NWM\Alice
I'm having trouble posting the code directly to the blog, but you can get it
here.
Posted
Oct 12 2005, 05:55 PM
by
keith-brown