During Kerberos user authentication, you may discover one or more duplicate Service
Principal Names (SPN).
About this task
If you define more than one SPN for TEXTML Server, Kerberos
authentication fails. You must remove any duplicates and then retry. To remove a
duplicate SPN:
Procedure
-
To confirm that there are no duplicate SPNs defined for the TEXTML Server machine, enter:
-
Review the resulting notification.
Checking forest DC=acme,DC=local
Operation will be performed forestwide, it might take a while.
Processing entry
TextmlServer/WRITIX.acme.local:2500 is registered on these accounts:
CN=UserA,OU=Peoples,OU=Company,DC=acme,DC=local
CN=WRITIX,CN=Computers,DC=acme,DC=local
TextmlServer/WRITIX:2500 is registered on these accounts:
CN=UserA,OU=Peoples,OU=Company,DC=acme,DC=local
CN=WRITIX,CN=Computers,DC=acme,DC=local
found 2 groups of duplicate SPNs.
In the example, there are two groups of duplicate SPNs, since
TEXTML Server SPN is assigned to more than one account.
- The TextmlServer/WRITIX.acme.local:2500 SPN is assigned to two
users:
UserA@acme.local and
WRITIX@acme.local.
- the TextmlServer/WRITIX:2500 SPN is assigned to two users:
UserA@acme.local and
WRITIX@acme.local.
-
Enter the following command for your situation.
setspn -D TextmlServer/<MACHINE-NAME>:<port-number> <machine-account>
where:
- <MACHINE-NAME> is the name of the machine in uppercase
letters
- <port-number> is the value for the port
- <machine-account> is the
In the example, you could remove sample UserA using the following
command:
setspn -D TextmlServer/WRITIX.acme.local:2500 UserA
setspn -D TextmlServer/WRITIX:2500 UserA
-
To confirm that you removed the duplicate SPN, run the following command
again:
A message confirms that there are 0 groups of duplicate
SPNs.
