Kerberos requires that service principal names be unique to a given resource. Occasionally administrators will see an Event 11 in the System log which states “The KDC encountered duplicate names while processing a Kerberos authentication request. The duplicate name is <insert name here>. This may result in authentication failures or downgrades to NTLM. In order to prevent this from occurring remove the duplicate entries for <insert name here yet again> in Active Directory.”
Whether it’s the “too many cooks in the kitchen” principle leading to multiple admins delegating an SPN to multiple objects, or simply the complexity of Kerberos delegation in general, it’s typical to see these types of events on your average enterprise’s domain controller. Previous versions of the setspn utility – which is used to delegate an SPN to a service principal – didn’t prevent us from shooting ourselves in the foot, allowing us to go right ahead and assign duplicate SPN’s. More recent versions of the utility, which is built into the operating system, help mitigate this by performing checks when SPNs are added with the “setspn –a command,” but it’s still less than perfect. Here, then, is now to identify the duplicate SPN’s in your Active Directory environment and how to get rid of them.
1.) To identify the duplicate SPN, using an account with membership to the Domain Admins group:
- Go to an elevated command prompt and type “setspn –x”
- Any duplicate SPN’s will be listed. If you’re investigating the issue due to witnessing Event 11’s on your domain controller, the command should dump the duplicate entry listed in the event. Here’s an example of the command finding a duplicate entry.
2.) Determine which object the spn should actually be delegated to. This will determine from which object it should be removed.
3.) From the same command line, run “setspn –d <SPN> <object>
Using the example from the exhibit, the command would be “setspn –d host/fscluster member” as shown below.
4.) Run “setspn –x” again to confirm the duplicate has been removed. Another option is to run “setspn –l <objectname>” on the object that should still be delegated the spn.