How to remove duplicate SPN’s
SPN
A Service Principal Name (SPN) is a name in Active Directory, and it is a unique identifier for a service on a network that uses Kerberos authentication. In Simple, SPN is like an alias for an AD object, which can be a Service Account, User Account or Computer object, that lets other AD resources know which services are running under which accounts and creates associations between them in Active Directory.
Here are the steps to remove duplicate Service Principal Names (SPNs) in Active Directory:
- Identify Duplicate SPNs: Use the following PowerShell command to list all SPNs and identify any duplicates:
SetSPN -T <DomainName> -Q */*
SetSPN -T windowstechno.local -Q */*
PS C:\Users\Administrator.WINDOWSTECHNO.000> SetSPN -T windowstechno.local -Q */*
Checking domain DC=Windowstechno,DC=local
CN=SVR02,OU=Computers-Directory,DC=Windowstechno,DC=local
HOST/SVR02
HOST/SVR02.Windowstechno.local
CN=WINDOWS7,OU=Windows7,OU=Windows-Workstations,OU=Workstations,OU=Computers-Directory,DC=Windowstechno,DC=local
RestrictedKrbHost/WINDOWS7
HOST/WINDOWS7
RestrictedKrbHost/WINDOWS7.Windowstechno.local
HOST/WINDOWS7.Windowstechno.local
CN=CBJ-V-51030,CN=Computers,DC=Windowstechno,DC=local
WSMAN/CBJ-V-51030
WSMAN/CBJ-V-51030.Windowstechno.local
TERMSRV/CBJ-V-51030.Windowstechno.local
RestrictedKrbHost/CBJ-V-51030.Windowstechno.local
HOST/CBJ-V-51030.Windowstechno.local
TERMSRV/CBJ-V-51030
RestrictedKrbHost/CBJ-V-51030
HOST/CBJ-V-51030
CN=Azure,OU=IMS,DC=Windowstechno,DC=local
https://test
CN=HOSTMACHINE,CN=Computers,DC=Windowstechno,DC=local
Microsoft Virtual Console Service/HOSTMACHINE
Microsoft Virtual Console Service/HostMachine.Windowstechno.local
Microsoft Virtual System Migration Service/HostMachine.Windowstechno.local
Microsoft Virtual System Migration Service/HOSTMACHINE
Hyper-V Replica Service/HostMachine.Windowstechno.local
Hyper-V Replica Service/HOSTMACHINE
RestrictedKrbHost/HOSTMACHINE
HOST/HOSTMACHINE
RestrictedKrbHost/HostMachine.Windowstechno.local
HOST/HostMachine.Windowstechno.local
CN=CBJ-V-51031,CN=Computers,DC=Windowstechno,DC=local
TERMSRV/CBJ-V-51031.Windowstechno.local
TERMSRV/CBJ-V-51031
WSMAN/CBJ-V-51031
WSMAN/CBJ-V-51031.Windowstechno.local
RestrictedKrbHost/CBJ-V-51031
HOST/CBJ-V-51031
RestrictedKrbHost/CBJ-V-51031.Windowstechno.local
HOST/CBJ-V-51031.Windowstechno.local
CN=CBJ-V-51036,OU=Windows-Servers,OU=Server-Directory,OU=Computers-Directory,DC=Windowstechno,DC=local
WSMAN/CBJ-V-51036.Windowstechno.local
WSMAN/CBJ-V-51036
TERMSRV/CBJ-V-51036
TERMSRV/CBJ-V-51036.Windowstechno.local
RestrictedKrbHost/CBJ-V-51036
HOST/CBJ-V-51036
RestrictedKrbHost/CBJ-V-51036.Windowstechno.local
HOST/CBJ-V-51036.Windowstechno.local
CN=AGPM,OU=Service-Accounts,DC=Windowstechno,DC=local
AgpmServer/CBJ-V-51036.Windowstechno.local/Windowstechno.local
Existing SPN found!
This will display all the registered SPNs in the domain. Look for any SPNs that have multiple instances.
- Verify Ownership: Ensure that you have the necessary permissions to manage the SPNs you want to remove. You’ll need to be a domain administrator or have the “Service Principal Name” permission.
- Remove Duplicate SPNs: Use the following PowerShell command to remove the duplicate SPNs:
SetSPN -T <DomainName> -D <DuplicateSPN>
Replace <DuplicateSPN> with the specific SPN you want to remove.
- Confirm Removal: Run the initial SetSPN -T <DomainName> -Q */* command again to verify that the duplicate SPN has been removed.
- Repeat for All Duplicates: Repeat steps 3 and 4 for each duplicate SPN you need to remove.
It’s important to note that removing SPNs can have implications for services and applications that rely on those SPNs. Make sure to carefully review the impact before removing any SPNs, and coordinate with the relevant teams or service owners to ensure a smooth transition.
There are a few potential risks and side effects to be aware of when removing duplicate Service Principal Names (SPNs) in Active Directory:
- Service Disruption: If the SPN is associated with a running service or application, removing the duplicate SPN could disrupt the functionality of that service. This could cause downtime or interruptions for users.
- Authentication Failures: Services and applications use SPNs for Kerberos authentication. Removing a duplicate SPN could break the authentication process, preventing users from accessing the affected resources.
- Compatibility Issues: Some legacy applications or services may have hardcoded assumptions about the existence of certain SPNs. Removing these SPNs could cause compatibility problems and break these applications.
- Incorrect SPN Mapping: If the duplicate SPN is associated with the wrong service account or computer account, removing it could break the correct SPN-to-account mapping, leading to authentication problems.
- Permissions and Delegation: SPNs are used to configure Kerberos constrained delegation. Removing a duplicate SPN could impact the configured delegation settings, breaking the ability for services to impersonate users.
- Incomplete Cleanup: If there are dependencies on the duplicate SPN, simply removing it may not be enough. You may need to update service configurations, adjust delegation settings, or make other changes to fully remediate the issue.
To mitigate these risks, it’s important to:
- Thoroughly identify and understand all the services and applications that use the SPN you plan to remove.
- Coordinate with the owners of those services to plan and test the SPN removal process.
- Ensure you have a way to quickly restore the SPN if any issues arise after removal.
- Document the changes and communicate them to the relevant teams.
Careful planning and testing can help minimize the risks when removing duplicate SPNs in Active Directory.
Here are some best practices for safely removing duplicate Service Principal Names (SPNs) in a production Active Directory environment:
- Identify and Understand the Impact:
- Thoroughly review the list of duplicate SPNs and identify which services or applications are associated with each SPN.
- Understand the potential impact of removing each duplicate SPN on the affected services, applications, and users.
- Obtain Necessary Permissions:
- Ensure you have the appropriate permissions to manage SPNs, such as being a domain administrator or having the “Service Principal Name” permission.
- Verify that you have the necessary permissions to make changes to the accounts and services associated with the SPNs.
- Create a Backup and Rollback Plan:
- Before making any changes, create a backup of the current SPN configuration, either manually or using a script.
- Develop a plan to quickly restore the original SPN configuration in case any issues arise after the removal.
- Coordinate with Service Owners:
- Engage with the owners of the services and applications that use the duplicate SPNs.
- Work closely with them to plan the removal process, test the impact, and ensure a smooth transition.
- Perform Staged Removals:
- Instead of removing all duplicate SPNs at once, consider a staged approach, removing one set of duplicates at a time.
- This allows you to monitor the impact and address any issues that arise before proceeding with the next set of removals.
- Test the Removal Process:
- Set up a test environment that closely mimics your production environment.
- Validate the removal process in the test environment, ensuring that services and applications continue to function as expected.
- Communicate Changes:
- Notify the relevant teams and users about the planned SPN removals, including the timeline and potential impact.
- Provide clear instructions and points of contact for reporting any issues that arise.
- Monitor and Validate:
- Closely monitor the production environment after the SPN removals to ensure that services and applications are functioning correctly.
- Validate that the affected users and systems can still access the necessary resources.
- Document the Process:
- Thoroughly document the steps taken, the decisions made, and the outcomes of the SPN removal process.
- This documentation can be valuable for future reference and for ensuring a consistent approach across multiple SPN removals.
By following these best practices, you can minimize the risks and ensure a safe and successful removal of duplicate SPNs in your production Active Directory environment.
So, that’s all in this blog. I will meet you soon with next stuff. Have a nice day!!!
Guys please don’t forget to like and share the post. Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them.
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.