Harry75
asked on
Duplicate SPN records
Hi, i have multiple events logged in the event veiwer for the below, event 11
There are multiple accounts with name host/kg-iis.uk.corp.pt.net of type DS_SERVICE_PRINCIPAL_NAME.
so i have run the command ldifde -f check_SPN.txt -t 3268 -d "" -l servicePrincipalName -r "(servicePrincipalName=hos t/kg-iis*) " -p subtree
output is
dn: CN=KG-IIS,OU=IIS Servers,DC=uk,DC=corp,DC=p t,DC=net
changetype: add
servicePrincipalName: WSMAN/KG-IIS
servicePrincipalName: WSMAN/KG-IIS.uk.corp.pt.ne t
servicePrincipalName: HOST/KG-IIS
servicePrincipalName: HOST/KG-IIS.uk.corp.pt.net
dn: CN=KG-IIS\0ACNF:8033656b-5 b16-4acd-8 3bb-709c95 d81954,OU= NewCompute rs,DC=uk,D C=corp,DC= pt,DC=net
changetype: add
servicePrincipalName: HOST/$DUPLICATE-b42b
servicePrincipalName: HOST/KG-IIS.uk.corp.pt.net
Question is how to i delete the duplicate which i assume is under new computers OU?
Thanks
There are multiple accounts with name host/kg-iis.uk.corp.pt.net
so i have run the command ldifde -f check_SPN.txt -t 3268 -d "" -l servicePrincipalName -r "(servicePrincipalName=hos
output is
dn: CN=KG-IIS,OU=IIS Servers,DC=uk,DC=corp,DC=p
changetype: add
servicePrincipalName: WSMAN/KG-IIS
servicePrincipalName: WSMAN/KG-IIS.uk.corp.pt.ne
servicePrincipalName: HOST/KG-IIS
servicePrincipalName: HOST/KG-IIS.uk.corp.pt.net
dn: CN=KG-IIS\0ACNF:8033656b-5
changetype: add
servicePrincipalName: HOST/$DUPLICATE-b42b
servicePrincipalName: HOST/KG-IIS.uk.corp.pt.net
Question is how to i delete the duplicate which i assume is under new computers OU?
Thanks
ASKER
Hi as its complaining about duplicate host/kg-iis.uk.corp.pt.net entries, one under dn: CN=KG-IIS,OU=IIS Servers,DC=uk,DC=corp,DC=p t,DC=net and the other under dn: CN=KG-IIS\0ACNF:8033656b-5 b16-4acd-8 3bb-709c95 d81954,OU= NewCompute rs,DC=uk,D C=corp,DC= pt,DC=net, how do i delete the host/kg-iis.uk.corp.pt.net under dn: CN=KG-IIS\0ACNF:8033656b-5 b16-4acd-8 3bb-709c95 d81954,OU= NewCompute rs,DC=uk,D C=corp,DC= pt,DC=net?
BTW this is a windows 2003 DC, any typing in setspn -x doesn't appear to be a valid switch.
Thanks
BTW this is a windows 2003 DC, any typing in setspn -x doesn't appear to be a valid switch.
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi, yes it was a computer object, i did a search in AD users and computers for kg-iis and i found two entries, on kg-iis and one kg-iisACNF:8033656b-5b16-4 acd-83bb-7 09c95d8195 4 , so just deleted the computer accounts from AD users and computers and the duplicate SPNs have gone. I wasn't sure of the SPN command to use to delete the desired entry but the above makes it clear,
thanks
thanks
Open in new window
You will have to figure out which object the SPN should actually be delegated to and remove the other. Once you figure out which one is correct remove the duplicate with this command.Open in new window
For example, if you decide to remove SPN "WSMAN/KG-IIS" from server "Server1" then the command would look like thisOpen in new window