ADFS Configuration Wizard: The SPN required for this Federation Service is already set on another Active Directory account

All replies

• 

  

  0

  Sign in to vote

  I can answer on how you can correct this problem, so you can run the ADFS wizard again without it throwing that error message.  Since you’ve darkened out the target server name, it makes it a little more challenging to answer this, so bear with me.  Run the following command to find the duplicate SPNs in your environment:  

  setspn -X

  When the duplicate is found, you can either remove it manually from the AD account via the GUI (Attribute Editor tab, then scroll down to servicePrincipalName) or more simply by:

  setspn -D <SPN> <AD account name>

  Example, your AD domain name is acme.com, the SPN is CF/server1.acme.com, and the AD account name is krbservice:

  setspn -D CF/server1.acme.com krbservice

  That should do it.  I can't answer definitively if the error is occurring because you ran the wizard twice - that might or might not be true.  Depends whether or not the rollback of the first wizard actually rolled off the SPN from the AD account to which the SPN was set.  In any case, while AD has gotten better at detecting duplicate SPNs before they get introduced into environment, it’s not yet perfect at preventing all occurrences which are in my opinion usually the result of human administrative error.

  ---

  Best Regards, Todd Heron | Active Directory Consultant

  • Proposed as answer by Liinus Wednesday, November 2, 2016 11:31 AM

  Wednesday, November 2, 2016 12:37 AM
• 

  

  0

  Sign in to vote

  Hiya,

  yes it is because you ran the wizard twice, probably with different service accounts configured. As Todd describes, you need to locate the SPN and update it correctly.

  you could do the following also.

  setspn -l http/<federation service name>

  That way you can see what account the service principal name is registrered to. That SPName should be registrered with the service account choosen when installing ADFS. If not, you need to update it.

  If you have doubts about it, you can give us the url of the federation service and the service account name, and we can give you the exact setspn command you need to run.

  • Proposed as answer by Liinus Wednesday, November 2, 2016 11:31 AM

  Wednesday, November 2, 2016 10:21 AM
• 

  

  0

  Sign in to vote

  Hi guys,

  Thanks for the advice.  Unfortunately, I'm still having issues.  For the moment, let's call our domain MyDomain.com, and the federation service name is adfs.mydomain.com.  The service account name is adfssvc. You also asked for the url of the federation service, but I'm not sure how to determine that.  I verified our federation service name using the ADFS management snapin-->Federation Service Properties-->General tab.
  

  Bizarrely, runnig setspn -X returns the following:

  C:\Windows\system32>setspn -x
  Checking domain DC=MyDomain,DC=com
  Processing entry 1
  found 0 group of duplicate SPNs.

  Running setspn -l http://adfs.mydomain.com

  returns:

  C:\Windows\system32>setspn -l http://adfs.mydomain.com
  FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0
  x00000525
  Could not find account http://adfs.mydomain.com

  Same if I try setspn -l adfs.mydomain.com

  I also ran C:\Windows\system32>setspn -l adfssvc
  Registered ServicePrincipalNames for CN=adfssvc,OU=Users,DC=mydomain,DC=com:
  
  [blank, nothing here]

  Any thoughts?

  
  
  
  

  • Edited by Alex-V-A Wednesday, November 2, 2016 7:02 PM

  Wednesday, November 2, 2016 7:00 PM
• 

  

  0

  Sign in to vote

  setspn -l allows you to list the SPN's for a given principal. In order to query for a specific SPN you need to use -q.

  E.g. setspn -q HTTP/adfs.mydomain.com

  OR setspn -q HOST/adfs.mydomain.com

  Normally AD FS will add HOST/adfs.mydomain.com on its service account. If it's complaining in the wizard than you would expect that HOST/adfs.mydomain.com (or HTTP/adfs.mydomain.com) are already used on another account. The -q commands should help you there.

  ---

  http://setspn.blogspot.com

  • Proposed as answer by Todd Heron Wednesday, November 2, 2016 11:57 PM

  Wednesday, November 2, 2016 11:44 PM
• 

  

  0

  Sign in to vote

  C:\Windows\system32>setspn -q HTTP/adfs.mydomain.com
  Checking domain DC=mydomain,DC=com
  
  No such SPN found.
  
  C:\Windows\system32>setspn -q HOST/adfs.mydomain.com
  Checking domain DC=Mydomain,DC=com
  CN=ADFS,OU=Servers,OU=Computers,DC=Mydomain,DC=com
  
          TERMSRV/ADFS
          TERMSRV/ADFS.mydomain.com
          WSMAN/ADFS
          WSMAN/adfs.mydomain.com
          RestrictedKrbHost/adfs
          HOST/adfs
          RestrictedKrbHost/adfs.mydomain.com
          HOST/adfs.mydomain.com
  
  Existing SPN found!
  
  I'm also seeing Event ID 217 being logged in the ADFS/Admin log: "MSIS0006: A Service Principal Name is not registered for the AD FS service account."

  Oh, and for the record, since there are blog posts out there about this issue:  we're not using a self-signed cert generated thru IIS.  We have a cert signed by a third party CA.

  Basically, I'm not sure how to interpret the meaning of the output of these commands vs. the wizard error vs. the event log entry.  What is missing--what do I need to do to reconcile the issue the wizard reported?

  
  

  • Edited by Alex-V-A Thursday, November 3, 2016 1:05 AM

  Thursday, November 3, 2016 1:04 AM
• 

  

  0

  Sign in to vote

  Make sure that the name of your ADFS server is different from the name of your ADFS farm.

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  • Proposed as answer by Todd Heron Thursday, November 3, 2016 1:28 AM
  • Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, November 22, 2016 12:58 PM

  Thursday, November 3, 2016 1:22 AM
• 

  

  0

  Sign in to vote

  Hi,

  You are missing the HTTP/adfs.mydomain.com <ADFS service account name>

  setspn -s http/adfs.mydomain.com <ADFS service account name>

  @Pierre: What would be the problem of this? - Besides transparency and possible misunderstandings about when your are talking about the server and about the system.

  • Edited by Jesper Arnecke Friday, November 4, 2016 11:15 AM

  Friday, November 4, 2016 11:13 AM
• 

  

  0

  Sign in to vote

  Make sure that the name of your ADFS server is different from the name of your ADFS farm.

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  Hello Pierre Audonnet, Is there any reason we have to use a different service name from ADFS server name?
  

  Monday, November 7, 2016 10:24 AM
• 

  

  0

  Sign in to vote

  This is to avoid duplicate SPN. If the machine name is ADFS.contoso.com and the farm name ADFS.contoso.com then the computer account of your ADFS server and the service account of your ADFS farm will have the same SPN: HOST/ADFS.contoso.com.

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  • Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, November 22, 2016 12:58 PM
  • Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, November 22, 2016 12:58 PM
  • Unmarked as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, November 22, 2016 12:58 PM
  • Unproposed as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, November 22, 2016 12:58 PM

  Monday, November 7, 2016 1:40 PM
• 

  

  0

  Sign in to vote

  This is to avoid duplicate SPN. If the machine name is ADFS.contoso.com and the farm name ADFS.contoso.com then the computer account of your ADFS server and the service account of your ADFS farm will have the same SPN: HOST/ADFS.contoso.com.

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  
  But the SPN for ADFS is an HTTP and not a HOST?
  

  Monday, November 7, 2016 4:38 PM
• 

  

  1

  Sign in to vote

  Nope that's an HOST. Cf https://technet.microsoft.com/en-us/library/dn554247(v=ws.11).aspx

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  Monday, November 7, 2016 8:01 PM
• 

  

  0

  Sign in to vote

  And to back up additionally to Pierre's statement.

  Why?
  

  It's a requirement from the Windows Communication Foundation (WCF) SPN requirements.
  

  https://msdn.microsoft.com/en-us/library/ms733130.aspx
  

  • Edited by Jesper Arnecke Friday, November 18, 2016 12:08 PM Fixed broken link

  Monday, November 7, 2016 8:25 PM
• 

  

  0

  Sign in to vote

  Any update?

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  Thursday, November 17, 2016 10:31 PM