-
Title
How to check for duplicate SPN's on computer objects in the domain, $DUPLICATE, SPN -
Description
How to check for duplicate SPN's on computer objects in the domain. -
Resolution
Locate and remove the object with the duplicated SPN's.
To identify duplicated SPN's in your environment you can run the following:
VAS=/opt/quest/bin/vastool ; for spn in `sudo $VAS -u host/ search -q "(servicePrincipalName=*)" servicePrincipalName | sort | uniq -d` ; do printf \nDuplicated ServicePrincipalName: $spn\n; sudo $VAS -u host/ search -q "(servicePrincipalName=$spn)" distinguishedName ; done
Be advised this can be an expensive query as it will search ALL computer objects in AD then compare SPN's and print any duplicates found
Same command without sudo if you are running it as root:
VAS=/opt/quest/bin/vastool ; for spn in `$VAS -u host/ search -q "(servicePrincipalName=*)" servicePrincipalName | sort | uniq -d` ; do printf \nDuplicated ServicePrincipalName: $spn\n; $VAS -u host/ search -q "(servicePrincipalName=$spn)" distinguishedName ; done