none
Duplicate SPNs

    Question

  • We have a duplicate SPN in place for a SQL service and are considering removing one of the entries we no longer need. The SQL service supports one of our ASP.Net web applications. The service account for the SQL service was changed to a different account. And the duplicate SPN is registered to the old service account that is no longer in play.

    Right now there doesn't seem to be any visible impact to our users with the duplicate SPN in place. All we see are events on a domain controller indicating the presence of a duplicate SPN.

    What impact does a duplicate SPN have? I read here that at worst it would force authentication authentication of the SQL service to fall back to NTLM instead of Kerberos. Does that seem right?

    We'd like to remove the duplicate SPN but want to consult first with the experts in the community before we commit to making this change in our production environment.

    Thanks!

    Wednesday, February 8, 2017 1:58 PM

Answers

  • If someone by chance happens to use a duplicate SPN to find/reach a Kerberos-protected resource, Kerberos authentication will fail if they use the that name, because as you stated, the duplicate SPN is registered to the old service account that is no longer in play.  If the service account is no longer in play, then the duplicate SPN is safe to delete.  Think of SPNs as just an alias for a resource on your network.  If that resource is gone, or one of the names linked to that resource is gone, just get rid of it, as its taking up unnecessary space in your Directory and worse, will cause confusion for the next administrator.  Keep in mind, this operation is safe, as you can always re-instate the SPN instantly as part of your back-out plan if there's any problem.  But based on what you said, there will not be any problems.  Please don't forget to come back here and mark this as an answer if you verify there weren't any problems, as this issue pops up from time to time and it will be helpful for others facing the same. For further reference, here is a Microsoft Blog on this subject, which especially applies to your case with SQL Server:  Duplicate SPN: What is it really?

    EDIT:  It is difficult to answer the question whether fallback to NTLM may occur, as it depends on the application.  It is not up to Kerberos whether or not fallback to NTLM occurs, instead it is up to the application and every application is coded differently.  Only a WireShark trace and/or NTLM auditing can tell for sure.   To do NTLM auditing, please see the following reference:  Using Group Policies to audit NTLM traffic.  Regarding Wireshark analysis, please see:  How to Use Wireshark to Capture, Filter and Inspect Packets


    Best Regards, Todd Heron | Active Directory Consultant


    • Edited by Todd Heron Wednesday, February 8, 2017 5:23 PM Added new info on NTLM
    • Marked as answer by GregT8_at_Catapult Thursday, February 9, 2017 1:47 PM
    Wednesday, February 8, 2017 3:56 PM

All replies

  • If someone by chance happens to use a duplicate SPN to find/reach a Kerberos-protected resource, Kerberos authentication will fail if they use the that name, because as you stated, the duplicate SPN is registered to the old service account that is no longer in play.  If the service account is no longer in play, then the duplicate SPN is safe to delete.  Think of SPNs as just an alias for a resource on your network.  If that resource is gone, or one of the names linked to that resource is gone, just get rid of it, as its taking up unnecessary space in your Directory and worse, will cause confusion for the next administrator.  Keep in mind, this operation is safe, as you can always re-instate the SPN instantly as part of your back-out plan if there's any problem.  But based on what you said, there will not be any problems.  Please don't forget to come back here and mark this as an answer if you verify there weren't any problems, as this issue pops up from time to time and it will be helpful for others facing the same. For further reference, here is a Microsoft Blog on this subject, which especially applies to your case with SQL Server:  Duplicate SPN: What is it really?

    EDIT:  It is difficult to answer the question whether fallback to NTLM may occur, as it depends on the application.  It is not up to Kerberos whether or not fallback to NTLM occurs, instead it is up to the application and every application is coded differently.  Only a WireShark trace and/or NTLM auditing can tell for sure.   To do NTLM auditing, please see the following reference:  Using Group Policies to audit NTLM traffic.  Regarding Wireshark analysis, please see:  How to Use Wireshark to Capture, Filter and Inspect Packets


    Best Regards, Todd Heron | Active Directory Consultant


    • Edited by Todd Heron Wednesday, February 8, 2017 5:23 PM Added new info on NTLM
    • Marked as answer by GregT8_at_Catapult Thursday, February 9, 2017 1:47 PM
    Wednesday, February 8, 2017 3:56 PM
  • AD uses SPN to locate the services provider, when you have duplicates, the issue it causes could be intermittent, depending if AD finds the right identity that actually provides the service. Secondly, not everything falls back to NTLM. It might be true for HTTP service, but not so for SQL. All in all, why keep an SPN that's obviously only do harm?
    Wednesday, February 8, 2017 4:41 PM