This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 84%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
We want to disable Disable SPN Alias Uniqueness Check. If we disable SPN Alias Uniqueness Check then is there any impact on our production environment.
Yes, by disabling the SPN uniqueness checking, you are allowing duplicate SPN to be created in AD and the extract above applies. Disable the uniqueness check is per forest. You will need to add an additional step to your SPN assignment process to check if the SPN already exists before you adding a new one.
Gary.
Hi anonymous user
Here is the extract from the link below.
In Windows Server 2012 R2, we introduced SPN uniqueness checks/blocks which ensure applications or administrators aren't able to create objects in Active Directory with the same SPN as another object. Typically, preventing duplicate SPNs is a great idea. Duplicate SPNs can cause issues, including Kerberos authentication problems or application failures. However, there are some situations/tools that require the ability to bypass the duplicate SPN check in order to function properly. A prime example would be a third-party Active Directory migration tool or even the built in commands NETDOM and Move-ADObject. When these tools are used, the SPN uniqueness check prevents the application from fully moving or migrating computers and users, and will often error out.
Gary.
258102
Hi Mahfuzrupok-2233,
This feature guarantees that SPNs are unique in a forest, which prevents computers and domain controllers from adding duplicate SPNs. You can read how to disable it here:
The answer to your question is that there would be no detrimental affect as long as there are no duplicate SPNs. If you have undetected duplicate SPNs, they can cause issues, including Kerberos authentication problems or application failures. However, there are some situations/tools that require the ability to bypass the duplicate SPN check in order to function properly.
If this is a temporary measure to allow a third party app to install or operate, I would recommend returning the Alias Uniqueness Check once finished.
--If the reply is helpful, please Upvote and Accept as answer--
Is there any impact if we disable SPN Alias Uniqueness Check in our production environment?
And If we disable SPN Alias Uniqueness Check, So is there a possibility of duplicate SPN being created??