Service Principal Name Headache
Yet another post to remind myself just in case I forgot... again.
Troubleshooting Kerberos authentication is a pain.
Rules of thumb:
"Thou shalt not have more than one service account delegating for the same service to the same server at one one time."
"If thou has ever find thyself in need to violate rule #1, consider assigning the SPN ONLY to the server account itself."
Say you have Server1 and Server2 which belong to domain DOMAIN and ServiceAccount1 and ServiceAccount2 which need to do HTTP delegation.
See the following scenarios:
Forbidden (2 service accounts are mapped to delegate HTTP service on the same server):
Allowed (1 service accounts mapped to delegate HTTP service on 2 different servers):
Forbidden (service account and server are mapped to delegate HTTP service on the same server):
Allowed (only server account is allowed to delegate HTTP service on that particular server):
Tools that you can use to troubleshoot SPNs issues are:
CSVDE + Excel: You can use these two to find out if you have duplicate SPNs.
For example, run
CSVDE -f results.csv -r "(objectClass=User)" -l "sAMAccountName,servicePrincipalName" from Command Prompt and then open
results.csv using Excel and do your data filtering there to find out the duplicates. After you found them, you can remove the offending SPN using
KERBTRAY: You can use this tool to remove cached Kerberos tickets on the fly. Waiting for the ticket to expire by itself is a pain in the butt.