question

MdMahfuzurRahman-9219 avatar image
0 Votes"
MdMahfuzurRahman-9219 asked GaryReynolds answered

We want to disable Disable SPN Alias Uniqueness Check.

We want to disable Disable SPN Alias Uniqueness Check. If we disable SPN Alias Uniqueness Check then is there any impact on our production environment.

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Yes, by disabling the SPN uniqueness checking, you are allowing duplicate SPN to be created in AD and the extract above applies. Disable the uniqueness check is per forest. You will need to add an additional step to your SPN assignment process to check if the SPN already exists before you adding a new one.

Gary.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi anonymous user

Here is the extract from the link below.

In Windows Server 2012 R2, we introduced SPN uniqueness checks/blocks which ensure applications or administrators aren't able to create objects in Active Directory with the same SPN as another object. Typically, preventing duplicate SPNs is a great idea. Duplicate SPNs can cause issues, including Kerberos authentication problems or application failures. However, there are some situations/tools that require the ability to bypass the duplicate SPN check in order to function properly. A prime example would be a third-party Active Directory migration tool or even the built in commands NETDOM and Move-ADObject. When these tools are used, the SPN uniqueness check prevents the application from fully moving or migrating computers and users, and will often error out.

Gary.
258102


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hi Mahfuzrupok-2233,

This feature guarantees that SPNs are unique in a forest, which prevents computers and domain controllers from adding duplicate SPNs. You can read how to disable it here:

https://support.microsoft.com/en-us/topic/kb5008382-verification-of-uniqueness-for-user-principal-name-service-principal-name-and-the-service-principal-name-alias-cve-2021-42282-4651b175-290c-4e59-8fcb-e4e5cd0cdb29

The answer to your question is that there would be no detrimental affect as long as there are no duplicate SPNs. If you have undetected duplicate SPNs, they can cause issues, including Kerberos authentication problems or application failures. However, there are some situations/tools that require the ability to bypass the duplicate SPN check in order to function properly.

If this is a temporary measure to allow a third party app to install or operate, I would recommend returning the Alias Uniqueness Check once finished.



--If the reply is helpful, please Upvote and Accept as answer--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MdMahfuzurRahman-9219 avatar image
0 Votes"
MdMahfuzurRahman-9219 answered MdMahfuzurRahman-9219 edited

Is there any impact if we disable SPN Alias Uniqueness Check in our production environment?

And If we disable SPN Alias Uniqueness Check, So is there a possibility of duplicate SPN being created??

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.