How to force duplicate SPN

If you have ever wanted to decommission an old file/SQL server while bringing another online to replace it and keep the existing hostname alive as an alias of the new system, you may want to force a duplicate SPN.

Setspn.exe has had duplicate SPN detection built-in to it since the Windows Server 2008 release when using the “-S”  option.  You can bypass the duplicate SPN detection by using the “-A” option however.  Creation of a duplicate SPN is blocked when targeting a Windows Server 2012 R2 DC using SetSPN with the -A option.  The error message displayed is the same as the one displayed when using the -S option: “Duplicate SPN found, aborting operation!”

Sometimes the file server (NAS / RAS or a computer where we have a shared folder) is registered in DNS as an alias instead of the real hostname. When \\myalias\sharename\file.csv is accessed, we may get the error message  “filename, could not be opened”.

The reason for receiving this error is you are missing a valid SPN for the DNS Alias (CNAME) record for the host.

To register the SPN for the DNS alias (CNAME) records, use the Setspn tool with the following syntax:

setspn -A host/your_ALIAS_name computername
setspn -A host/your_ALIAS_name.company.com computername

The trick is the -A switch (which doesn’t show up anymore with setspn /help on Windows Server 2012). If you did -s it will find a duplicate as in this example:

setspn -s HOST/OLDSERVER newserver
Checking domain DC=Domain,DC=int
 CN=OLDSERVER,OU=Servers,OU=Folder,DC=Domain,DC=int
 WSMAN/OLDSERVER
 WSMAN/OLDSERVER.Domain.int
 HOST/OLDSERVER
 HOST/OLDSERVER.Domain.int
Duplicate SPN found, aborting operation!

You must register the Kerberos service principal names (SPNs), the host name, and the fully-qualified domain name (FQDN) for all new DNS alias records. If you do not do this, a Kerberos ticket request for the DNS alias record will fail and return the error code KDC_ERR_S_SPRINCIPAL_UNKNOWN.

Share
Disqus Comments Loading...

Recent Posts

Bittorrent IP Blocklists

In addition to using a VPN service, as an extra precaution I've been using the blocklist feature of my bittorrent… Read More

October 26, 2019 3:31 pm

FreeNAS Error Creating Pool

command '('gpart', 'create', '-s', 'gpt', '/dev/da8')' returned non-zero exit status 1. If you get this error while trying to create… Read More

June 7, 2019 3:44 pm

Change Grub Default Boot Entry on Linux Mint

I'm dual booting Windows and Linux Mint on my laptop. The grub default is to boot into Linux Mint, however… Read More

April 23, 2019 7:45 pm

How to Reset Secure Channel On Active Directory Domain Controller

When you're a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation… Read More

April 21, 2019 8:14 am

Run Systemd Script Before System Shutdown

I tried to retain the NGINX FastCGI cache and have it persist across system reboots instead of being ephemeral by… Read More

April 20, 2019 10:14 am

Learn Systemctl Usage to Manage Systemd Service in Linux

Systemd is new service manager for Linux. It's a replacement for all previous init systems (SysV/SysVinit & Ubuntu's Upstart) and… Read More

April 20, 2019 7:55 am