Share via

Duplicate SPN in the Domain.

Cobion 111 Reputation points
2022-03-18T06:18:58.51+00:00

Hello everyone!
Tell me, can it happen that this delegation will allow you to create a duplicate SPN?
AD is large enough and roughly speaking, one object in AD can be linked to several SPNs, and how would it not happen that when delegating and creating SPN, whatever other service in AD will stop working?

Or write a script on Posh that will check the identity of the SPN?
Link to a related question:delegation-of-authority-to-create-an-spn.html

Thanks!

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
Windows for business | Windows Server | User experience | Other
Windows for business | Windows Server | Devices and deployment | Configure application groups

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thameur-BOURBITA 36,261 Reputation points Moderator
    2022-03-18T10:38:39.88+00:00

    Hi,

    Tell me, can it happen that this delegation will allow you to create a duplicate SPN?

    Yes, it's possible when the admin don't use the command setspn -S to add a SPN . Setspn -A or add spn by editing AD attribute can generate a duplicate SPN.
    The only way to prevent duplicate SPN when you generate new one is to use setspn -s

    AD is large enough and roughly speaking, one object in AD can be linked to several SPNs, and how would it not happen that when delegating and ****creating SPN, whatever other service in AD will stop working?

    if you need to delete duplicate SPN , you should removing SPN on the wrong computer or service account to restore the service.
    the command setspn -X -F will help you to identify duplicate SPN. Setspn -F -Q host/servernam will help you to identify on with object the SPN has been added in the forest.

    Type Setpspn /? you will find all option provided by this command to manage SPN.

    *Please don't forget to mark helpful reply as answer

    1 person found this answer helpful.
  2. Gary Reynolds 9,621 Reputation points
    2022-03-18T07:19:02.94+00:00

    Hi @Cobion

    In the context of an SPN you can only have one SPN entry per forest, i.e. host/server1 can only exist on one object. The setSPN command has logic to check if an entry exists before it's added. If you do try to bypass setSPN and set the SPN directly on an object using a AD editing tool, such as ADSIEdit, LDP, etc this will also fail as the DS service also prevents multiple entries being created.

    The linked post is talking about changing the permissions and who can change the SPN value, this doesn't change the underlying logic which will prevent multiple SPN being created.

    Gary.

    0 comments
  3. Cobion 111 Reputation points
    2022-03-18T07:40:56.68+00:00

    That is, the administrator of *Nix services will be able to attach the hosts of the HADOOP cluster to the Active Directory domain and create an SPN for using Kerberos+HADOOP?
    At the same time, even if there is an SPN with the same name in AD in the domain, it will not be possible to register it?

    0 comments
  4. Gary Reynolds 9,621 Reputation points
    2022-03-18T08:19:55.737+00:00

    If you want to allow user's to join additional machines to the domain, this will require additional delegation rights over the SPN rights mentioned in the post. Have a look at this question for more information.

    After Windows 2012R2 if an SPN already exists, it was not possible to assign the same SPN to another object.

    Gary.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.