Avoiding duplicate Service Principal Names when using setspn.exe

Heres a quick Kerberos tip I was given the other day :

When registering a SPN with setspn.exe, rather than use setspn -a, use setspn -s  as this will take a little longer but it will check to ensure that that Service Principal Name (SPN) is not registered anywhere else.  This is  a very handy little feature!

C:\Users\Administrator>setspn -S http/server.demo.com spservice
Checking domain DC=demo,DC=com
Registering ServicePrincipalNames for CN=SPService,OU=Service Accounts,DC=demo,DC=com
http/server.demo.com
Updated object

C:\Users\Administrator>setspn -S http/server.demo.com spservice
Checking domain DC=demo,DC=com
CN=SPService,OU=Service Accounts,DC=demo,DC=com
http/server.demo.com
Duplicate SPN found, aborting operation!

How cool is that?  Wish I'd known about this a long time ago!  Bear in mind that it was only introduced in Server 2008, so it has not really been around all that long.
Advertisements

2 Responses to Avoiding duplicate Service Principal Names when using setspn.exe

  1. emt training says:

    Keep posting stuff like this i really like it

  2. Dan Clements says:

    Hey Rhodes – good old “setspn -q” is a great one to run as well before registering new SPNs.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: