Avoiding duplicate Service Principal Names when using setspn.exe

Heres a quick Kerberos tip I was given the other day :

When registering a SPN with setspn.exe, rather than use setspn -a, use setspn -s  as this will take a little longer but it will check to ensure that that Service Principal Name (SPN) is not registered anywhere else.  This is  a very handy little feature!

C:\Users\Administrator>setspn -S http/server.demo.com spservice
Checking domain DC=demo,DC=com
Registering ServicePrincipalNames for CN=SPService,OU=Service Accounts,DC=demo,DC=com
http/server.demo.com
Updated object

C:\Users\Administrator>setspn -S http/server.demo.com spservice
Checking domain DC=demo,DC=com
CN=SPService,OU=Service Accounts,DC=demo,DC=com
http/server.demo.com
Duplicate SPN found, aborting operation!

How cool is that?  Wish I'd known about this a long time ago!  Bear in mind that it was only introduced in Server 2008, so it has not really been around all that long.
Advertisements