Hi!
You might remember me from such posts as Kerbie Goes Bananas, and SetSPN improvements for Windows 2008. Or something.
I'm here with a public service announcement! Excitement!
It's been long enough since Windows 2008 (and the downlevel release of SetSPN) that I feel comfortable respectfully asking you to please:
In your organization, if you ever happen to run across a document that describes a procedure that looks anything like this:
SetSPN -A http/yourwebfarm DOMAIN\YourFarmAccount
Please:
to change the SETSPN -A command to a SETSPN -S.
You may need to include a foreword describing where to get the 2008 version of SetSPN (I think I may have just spoiled it for you) if you're still strongly a 2003/XP shop, with no newer SetSPN-toting OSs available.
Because it'll hurt you less in the long run.
The original release of SetSPN was strongly account-centric. Given a Windows account, it would let you:
Unfortunately, this makes it very easy to add the same SPN to multiple accounts - creating a duplicate SPN. This is a very bad thing.
The same SPN can't easily be added more than once to the same user account, but the original tool does nothing to prevent the same SPN being added to multiple user accounts - and unfortunately, that's exactly the situation you're trying to avoid.
Any of
or
breaks kerberos for http://farm.
To restate the rule: One SPN can be associated with precisely one account.
And that's exactly what SETSPN -S is designed to prevent. SETSPN -S performs a quick check for duplicates before adding an SPN - which is the best possible time at which to catch the problem. So yay-the-Windows-2008-AD-team.
If you suspect you have duplicate SPNs in your environment, well, why just suspect? Run
To be told explicitly what duplicates you have kicking around in AD (there are forestwide switches you can use too). Yep, that used to be a nasty LDIFDE export with an LDAP filter expression; much simpler now!