Share via

Duplicate SPN in the Domain.

Cobion 111 Reputation points
2022-03-18T06:18:58.51+00:00

Hello everyone!
Tell me, can it happen that this delegation will allow you to create a duplicate SPN?
AD is large enough and roughly speaking, one object in AD can be linked to several SPNs, and how would it not happen that when delegating and creating SPN, whatever other service in AD will stop working?

Or write a script on Posh that will check the identity of the SPN?
Link to a related question:delegation-of-authority-to-create-an-spn.html

Thanks!

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,436 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,635 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,782 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
530 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Reynolds 9,406 Reputation points
    2022-03-18T07:19:02.94+00:00

    Hi @Cobion

    In the context of an SPN you can only have one SPN entry per forest, i.e. host/server1 can only exist on one object. The setSPN command has logic to check if an entry exists before it's added. If you do try to bypass setSPN and set the SPN directly on an object using a AD editing tool, such as ADSIEdit, LDP, etc this will also fail as the DS service also prevents multiple entries being created.

    The linked post is talking about changing the permissions and who can change the SPN value, this doesn't change the underlying logic which will prevent multiple SPN being created.

    Gary.

    0 comments
  2. Cobion 111 Reputation points
    2022-03-18T07:40:56.68+00:00

    That is, the administrator of *Nix services will be able to attach the hosts of the HADOOP cluster to the Active Directory domain and create an SPN for using Kerberos+HADOOP?
    At the same time, even if there is an SPN with the same name in AD in the domain, it will not be possible to register it?

    0 comments
  3. Gary Reynolds 9,406 Reputation points
    2022-03-18T08:19:55.737+00:00

    If you want to allow user's to join additional machines to the domain, this will require additional delegation rights over the SPN rights mentioned in the post. Have a look at this question for more information.

    After Windows 2012R2 if an SPN already exists, it was not possible to assign the same SPN to another object.

    Gary.

    0 comments
  4. Thameur-BOURBITA 32,636 Reputation points
    2022-03-18T10:38:39.88+00:00

    Hi,

    Tell me, can it happen that this delegation will allow you to create a duplicate SPN?

    Yes, it's possible when the admin don't use the command setspn -S to add a SPN . Setspn -A or add spn by editing AD attribute can generate a duplicate SPN.
    The only way to prevent duplicate SPN when you generate new one is to use setspn -s

    AD is large enough and roughly speaking, one object in AD can be linked to several SPNs, and how would it not happen that when delegating and ****creating SPN, whatever other service in AD will stop working?

    if you need to delete duplicate SPN , you should removing SPN on the wrong computer or service account to restore the service.
    the command setspn -X -F will help you to identify duplicate SPN. Setspn -F -Q host/servernam will help you to identify on with object the SPN has been added in the forest.

    Type Setpspn /? you will find all option provided by this command to manage SPN.

    *Please don't forget to mark helpful reply as answer