-
Título
How to check for duplicate SPN's on computer objects in the domain, $DUPLICATE, SPN -
Descripción
How to check for duplicate SPN's on computer objects in the domain. -
Resolución
Locate and remove the object with the duplicated SPN's.
To identify duplicated SPN's in your environment you can run the following:
VAS=/opt/quest/bin/vastool ; for spn in `sudo $VAS -u host/ search -q "(servicePrincipalName=*)" servicePrincipalName | sort | uniq -d` ; do printf \nDuplicated ServicePrincipalName: $spn\n; sudo $VAS -u host/ search -q "(servicePrincipalName=$spn)" distinguishedName ; done
Be advised this can be an expensive query as it will search ALL computer objects in AD then compare SPN's and print any duplicates found
Same command without sudo if you are running it as root:
VAS=/opt/quest/bin/vastool ; for spn in `$VAS -u host/ search -q "(servicePrincipalName=*)" servicePrincipalName | sort | uniq -d` ; do printf \nDuplicated ServicePrincipalName: $spn\n; $VAS -u host/ search -q "(servicePrincipalName=$spn)" distinguishedName ; done