PowerScale: OneFS: How to find duplicate Service Principal Names (SPNs) in Active Directory preventing SMB clients from authenticating to the cluster

Identify duplicate SPNs in Active Directory Domains:

Duplicate SPN names can cause login failures for service account logins and client logins when authenticating to the cluster. 
 

A duplicate SPN can cause a client to attempt to authenticate to the wrong system or have the wrong Kerberos key.
Reference: http://technet.microsoft.com/en-us/library/cc772897%28v=ws.10%29.aspx

SMB clients authenticating using SmartConnect zone names or aliases may not be able to authenticate to the cluster shares.

In domain controller logs or the "/var/log/lsassd.log," the following messages could indicate that duplicate SPNs are present.
 

KDC_ERR_PRINCIPAL_NOT_UNIQUE  - Multiple entries in database

KRB_AP_ERR_MODIFIED   Message stream modified errors

Event ID 11 and/or Event ID 4 on Domain controllers can indicate duplicate SPNs.

The incorrect configuration of SPNs in the Active Directory environment can result in duplicates.

Procedure

There are two options that can be used to find duplicate SPNs. Setspn is a command-line utility and LDP is a graphical interface only available on Windows Server 2003 and higher. 

Using setspn
 
Setspn which is in Windows 7, 8, Server 2008 and 2012. For Windows Server 2003, it can be obtained using the following link: http://support.microsoft.com/kb/970536
From the windows command-line interface, use "setspn /?" for additional options for the command.
Duplicates are found using "setspn -x," this searches the entire forest and may take time to process in large environments.
The command "setspn q" queries by SPN name and may be better for larger environments.

Example 1:
The SPN "HOST/chomper.test.isilon.com" is registered to both the cluster named "isicluster1" and also a Windows server named "win2k1."
 

C:>setspn  -x
Checking domain DC=test,DC=isilon,DC=com
Processing Entry 0
HOST/chomper.test.isilon.com is registered on these accounts
                CN=isicluster1,CN=Computers,DC=test,DC=isilon,DC=com
                CN=win2k1,CN=Computers,DC=test,DC=isilon,DC=com
Found 1 group of duplicate SPNs.

  
Example 2:
In larger environments, query using "setspn q <SPN>" or use LDP as shown below.
 

C:>setspn  -q HOST/chomper.test.isilon.com
Checking domain DC=test,DC=Isilon,DC=com
CN=isicluster1,CN=Computers,DC=test,DC=isilon,DC=com
                HOST/chomper.test.isilon.com
                HOST/isicluster1
                HOST/isicluster1.test.isilon.com
CN=win2k1,CN=Computers,DC=test,DC=isilon,DC=com
                HOST/chomper.test.isilon.com
                HOST/win2k1
                HOST/win2k1.test.isilon.com
 
Existing SPN found!

If there is an SPN elsewhere in the environment with a different service class identifier, such as CIFS, it will not be found with "setspn -x." You can search for it by running a wildcard search:

C:\>setspn -q */isilon
Checking domain DC=test,DC=Isilon,DC=com
CN=isicluster2,CN=Computers,DC=test,DC=isilon,DC=com
                cifs/chomper.test.isilon.com

Using LDP: http://support.microsoft.com/kb/321044

1. Click Start, click Run, type LDP, and then click OK.
2. Click Connection, and then click Connect.
3. Leave the default settings, and then click OK.
   Note: If you do not receive the expected result, try another search by using the Global Catalog Port (3268) instead of the default setting (389).
4. Click Connection, and then click Bind.
5. Leave the default settings, and then click OK.
6. Click View, and then click Tree.
7. In the Tree View dialog box, type DC=test,DC=isilon,DC=com in the BaseDN box
8. Click Browse, and then click Search.
9. In the Search dialog box, type DC=test,DC=isilon,DC=com in the BaseDN box.
10. In the Search dialog box, type (serviceprincipalname=HOST/<sczonename>) in the Filter box
11. In the Attributes dialog box, type servicePrincipalName.
12. Under Scope, click Subtree.
13. Click Run, then close the Search dialog box.
14. Duplicates SPNs have two entries listed pointing to two different Dn

***Searching 
ldap_search_s(Id,  DC=test,DC=isilon,DC=com ,2,
    (serviceprincipalname=HOST/chomper.test.isilon.com) ,attrList, 0 &msg)
    Getting 2 entries:
Dn: CN=ISICLUSTER1,CN=Computers,DC=test,DC=isilon,DC=com
    servicePrincipalName (3): HOST/isicluster1; HOST/isicluster1.test.isilon.com;
      HOST/chomper.test.isilon.com
Dn: CN=WIN2K1,CN=Computers,DC=test,DC=isilon,DC=com
    servicePrincipalName (3): HOST/win2k1; HOST/win2k1.test.isilon.com;
      HOST/chomper.test.isilon.com

 
Resolution:
The duplicate entry for win2k1 for "HOST/chomper.test.isilon.com" should be removed from the Active Directory domain.

The duplicate entry is removable by a user with Domain Admin, Enterprise Admin, or specified domain administration rights on the Active Directory Domain.
The command to remove a duplicate entry is "setspn -D <spn> <accountname>."

C:>setspn  D HOST/chomper.test.isilon.com win2k1
Unregistering ServicePrincipalnames for CN=win2k1,CN=Computers,DC=test,DC=isilon,DC=com
                HOST/chomper.test.isilon.com
Updated object

The output above confirms that "HOST/chomper.test.isilon.com" has been unregistered from the computer win2k1. It is now only registered to the ISICLUSTER1 machine account.

Related Articles:

"Authentication services can fail if the Service Principal Name (SPN) is incorrect or missing," 89649
"OneFS: How to create SPN accounts to allow Kerberos authentication using SmartConnect DNS entries," 16528
"How to view an SPN list in a Microsoft Active Directory environment," 16589
"SQL client cannot "Bulk Insert" files from an Isilon cluster to a SQL database," 89574
"How to enable Mac OS X single sign-on (SSO) to Active Directory-enabled CIFS shares in OneFS 5.5.x - 6.5.x," 16675
"Isilon OneFS 7.1.0.0: SMB2 clients cannot connect to the cluster using Kerberos authentication," 174024
"OneFS: Service Principal Names for Kerberos Authentication," 187999