Link to home
Start Free TrialLog in
Avatar of Harry75
Harry75Flag for United Kingdom of Great Britain and Northern Ireland

asked on

Duplicate SPN records

Hi, i have multiple events logged in the event veiwer for the below, event 11

There are multiple accounts with name host/kg-iis.uk.corp.pt.net of type DS_SERVICE_PRINCIPAL_NAME.

so i have run the command ldifde -f check_SPN.txt -t 3268 -d "" -l servicePrincipalName -r "(servicePrincipalName=host/kg-iis*)" -p subtree

output is

dn: CN=KG-IIS,OU=IIS Servers,DC=uk,DC=corp,DC=pt,DC=net
changetype: add
servicePrincipalName: WSMAN/KG-IIS
servicePrincipalName: WSMAN/KG-IIS.uk.corp.pt.net
servicePrincipalName: HOST/KG-IIS
servicePrincipalName: HOST/KG-IIS.uk.corp.pt.net

dn: CN=KG-IIS\0ACNF:8033656b-5b16-4acd-83bb-709c95d81954,OU=NewComputers,DC=uk,DC=corp,DC=pt,DC=net
changetype: add
servicePrincipalName: HOST/$DUPLICATE-b42b
servicePrincipalName: HOST/KG-IIS.uk.corp.pt.net


Question is how to i delete the duplicate which i assume is under new computers OU?

Thanks
Avatar of Bradley Fox
Bradley Fox
Flag of United States of America image

Run the command below as domain admin to list duplicates.
setspn -x

Open in new window

You will have to figure out which object the SPN should actually be delegated to and remove the other.  Once you figure out which one is correct remove the duplicate with this command.
setspn –d <SPN> <object>

Open in new window

For example, if you decide to remove SPN "WSMAN/KG-IIS" from server "Server1" then the command would look like this
setspn -d WSMAN/KG-IIS Server1

Open in new window

Avatar of Harry75

ASKER

Hi as its complaining about duplicate host/kg-iis.uk.corp.pt.net entries, one under dn: CN=KG-IIS,OU=IIS Servers,DC=uk,DC=corp,DC=pt,DC=net and the other under dn: CN=KG-IIS\0ACNF:8033656b-5b16-4acd-83bb-709c95d81954,OU=NewComputers,DC=uk,DC=corp,DC=pt,DC=net, how do i delete the host/kg-iis.uk.corp.pt.net under dn: CN=KG-IIS\0ACNF:8033656b-5b16-4acd-83bb-709c95d81954,OU=NewComputers,DC=uk,DC=corp,DC=pt,DC=net?

BTW this is a windows 2003 DC, any typing in setspn -x doesn't appear to be a valid switch.

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Bradley Fox
Bradley Fox
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Harry75

ASKER

Hi, yes it was a computer object, i did a search in AD users and computers for kg-iis and i found two entries, on kg-iis and one kg-iisACNF:8033656b-5b16-4acd-83bb-709c95d81954 , so just deleted the computer accounts from AD users and computers and the duplicate SPNs have gone.  I wasn't sure of the SPN command to use to delete the desired entry but the above makes it clear,

thanks