PSA: You really need to update your Kerberos setup documentation with SetSPN -S!
I'm here with a public service announcement! Excitement!
It's been long enough since Windows 2008 (and the downlevel release of SetSPN) that I feel comfortable respectfully asking you to please:
Search and Replace SetSPN -A with SetSPN -S.
In your organization, if you ever happen to run across a document that describes a procedure that looks anything like this:
SetSPN -A http/yourwebfarm DOMAIN\YourFarmAccount
- mail the author, or
- file a bug against the content, or
- use the Community Content feature if it's somewhere on Technet, or
- mail anyone and everyone responsible for upkeep or implementation of that document
to change the SETSPN -A command to a SETSPN -S.
You may need to include a foreword describing where to get the 2008 version of SetSPN (I think I may have just spoiled it for you) if you're still strongly a 2003/XP shop, with no newer SetSPN-toting OSs available.
Why the change?
Because it'll hurt you less in the long run.
The original release of SetSPN was strongly account-centric. Given a Windows account, it would let you:
- Add an SPN to that account
- Remove an SPN from that account
- List the SPNs associated with that account
Unfortunately, this makes it very easy to add the same SPN to multiple accounts - creating a duplicate SPN. This is a very bad thing.
The same SPN can't easily be added more than once to the same user account, but the original tool does nothing to prevent the same SPN being added to multiple user accounts - and unfortunately, that's exactly the situation you're trying to avoid.
BAD EXAMPLES BAD BAD DO NOT USE BAD
- SETSPN -A http/farm DOMAIN\FarmUser
- SETSPN -A http/farm DOMAIN\FarmComputer$
- SETSPN -A http/farm DOMAIN\FarmComputer1$
- SETSPN -A http/farm DOMAIN\FarmComputer2$
- SETSPN -A http/farm ANYTHING followed by
- SETSPN -A http/farm ANYTHING_ELSE
breaks kerberos for http://farm.
To restate the rule: One SPN can be associated with precisely one account.
So please, use SetSPN -S
And that's exactly what SETSPN -S is designed to prevent. SETSPN -S performs a quick check for duplicates before adding an SPN - which is the best possible time at which to catch the problem. So yay-the-Windows-2008-AD-team.
Duplicates! Gotta Catch 'Em All 2011 Edition
If you suspect you have duplicate SPNs in your environment, well, why just suspect? Run
- SETSPN -X
To be told explicitly what duplicates you have kicking around in AD (there are forestwide switches you can use too). Yep, that used to be a nasty LDIFDE export with an LDAP filter expression; much simpler now!