SPN 和 UPN 唯一性SPN and UPN uniqueness

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

作者: Justin Turner 資深支援工程師視窗群組Author: Justin Turner, Senior Support Escalation Engineer with the Windows group

注意

本文由 Microsoft 客戶支援工程師撰寫,以及適用於系統管理員經驗和系統設計師超過參考 TechNet 上的主題通常會提供深入的技術解釋的功能與 Windows Server 2012 R2 方案正在尋找。This content is written by a Microsoft customer support engineer, and is intended for experienced administrators and systems architects who are looking for deeper technical explanations of features and solutions in Windows Server 2012 R2 than topics on TechNet usually provide. 不過,尚未經歷相同編輯行程,以便某些語言的似乎比哪些通常位於 TechNet 較少的外觀。However, it has not undergone the same editing passes, so some of the language may seem less polished than what is typically found on TechNet.

概觀Overview

重複執行 Windows Server 2012 R2 封鎖建立網域控制站的主體名稱 (SPN) 服務及使用者主體名稱 (UPN)。Domain Controllers running Windows Server 2012 R2 block the creation of duplicate service principal names (SPN) and user principal names (UPN). 這包括如果還原或重新刪除物件的引發的物件重新命名,會導致複本。This includes if the restoration or reanimation of a deleted object or the renaming of an object would result in a duplicate.

背景Background

重複服務主體名稱 (SPN) 通常會發生導致驗證失敗並過 LSASS CPU 使用率可能會導致。Duplicate Service Principal Names (SPN) commonly occur and result in authentication failures and may lead to excessive LSASS CPU utilization. 有不是方塊中封鎖重複 SPN 或 UPN 加入。There is no in-box method to block the addition of a duplicate SPN or UPN. *

重複 UPN 值中斷先之間同步處理 AD 與 Office 365。Duplicate UPN values break synchronization between on-premises AD and Office 365.

Setspn.exe 通常用來建立新的 Spn 和功能建置到與 Windows Server 2008 新增檢查有重複,一起發行的版本。Setspn.exe is commonly used to create new SPNs, and functionally was built into the version released with Windows Server 2008 that adds a check for duplicates.

表格 7 表格 \\ * 阿拉伯文 1: UPN 和 SPN 唯一性Table SEQ Table \* ARABIC 1: UPN and SPN uniqueness

功能Feature 意見Comment
UPN 唯一性UPN uniqueness 重複 Upn 中斷同步處理的先 AD 帳號,例如 Office 365 Windows Azure AD 型服務。Duplicate UPNs break synchronization of on-premises AD accounts with Windows Azure AD-based services such as Office 365.
SPN 唯一性SPN uniqueness Kerberos 需要 Spn 互加好友的驗證。Kerberos requires SPNs for mutual authentication. 重複 Spn 導致驗證失敗。Duplicate SPNs result in authentication failures.

如 Upn 和 Spn 唯一性需求的相關詳細資訊,請查看唯一性限制For more information about uniqueness requirements for UPNs and SPNs, see Uniqueness Constraints.

症狀Symptoms

錯誤碼 8467 或 8468 或符號十六進位或字串對等登入各種螢幕 dialogues 在事件 ID 2974 Directory 服務事件登入。Error codes 8467 or 8468 or their hex, symbolic or string equivalents are logged in various on-screen dialogues and in event ID 2974 in the Directory Services event log. 只有在下列環境封鎖建立重複 UPN 或 SPN 嘗試:The attempt to create a duplicate UPN or SPN is blocked only under the following circumstances:

  • Windows Server 2012 R2 俠處理寫入The write is processed by a Windows Server 2012 R2 DC

表格 7 表格 \\ * 阿拉伯文 2: UPN 和 SPN 唯一性錯誤碼Table SEQ Table \* ARABIC 2: UPN and SPN uniqueness error codes

小數點Decimal 16 進位Hex 符號Symbolic 字串String
84678467 21C 721C7 ERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FORESTERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FOREST 因為 SPN 值提供除了日修改不獨特的樹系作業失敗。The operation failed because SPN value provided for addition/modification is not unique forest-wide.
86488648 21C 821C8 ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FORESTERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST 因為 UPN 值提供除了日修改不獨特的樹系作業失敗。The operation failed because UPN value provided for addition/modification is not unique forest-wide.

如果不是唯一 UPN 建立新的使用者會失敗New user creation fails if UPN is not unique

DSA.mscDSA.msc

選擇您的使用者登入名稱已在企業中使用。The user logon name you have chosen is already in use in this enterprise. 選擇其他登入的名稱,並再試一次。Choose another logon name, and then try again.

SPN 和 UPN 唯一性

修改現有 account:Modify an existing account:

登入指定的使用者名稱已存在企業版。The specified user logon name already exists in the enterprise. 指定新的藉由變更前置詞或從清單中選取不同的結尾。Specify a new one, either by changing the prefix or selecting a different suffix from the list.

SPN 和 UPN 唯一性

Active Directory 系統管理員中心 (DSAC.exe)Active Directory Administrative Center (DSAC.exe)

嘗試在 Active Directory 管理中心與已經 UPN 建立新的使用者產生下列錯誤。An attempt to create a new user in Active Directory Administrative Center with a UPN that already exists will yield the following error.

SPN 和 UPN 唯一性

圖 7 圖 \\ * 顯示廣告管理中心新的使用者建立失敗時因重複 UPN 阿拉伯文 1 錯誤Figure SEQ Figure \* ARABIC 1 error displayed in AD Administrative Center when new user creation fails due to duplicate UPN

事件 2974年來源: ActiveDirectory_DomainServiceEvent 2974 Source: ActiveDirectory_DomainService

SPN 和 UPN 唯一性

圖 7 圖 \\ * 阿拉伯文 2 事件 ID 2974 8648 錯誤Figure SEQ Figure \* ARABIC 2 Event ID 2974 with error 8648

事件 2974年列出封鎖的值與一份已經包含值一或多個物件 (最多 10)。The event 2974 lists the value that was blocked and a list of one or more objects (up to 10) that already contain that value. 下圖,您可以看到該 UPN 屬性的值*** dhunt@blue.contoso.com 已經在四個其他的物件。In the following figure, you can see that UPN attribute value **dhunt@blue.contoso.com* already exists on four other objects. 這是 Windows Server 2012 R2 的新功能,因為重複 UPN 和 Spn 意外建立混合的環境中仍然會時舊版 Dc 處理寫入嘗試。Since this is a new feature in Windows Server 2012 R2, accidental creation of duplicate UPN and SPNs in a mixed environment will still occur when down-level DCs process the write attempt.

SPN 和 UPN 唯一性

圖 7 圖 \\ * 阿拉伯文 3 事件 2974 顯示所有包含重複 UPN 的物件Figure SEQ Figure \* ARABIC 3 Event 2974 showing all objects containing the duplicate UPN

提示

定期到檢視事件 ID 2974s:Review event ID 2974s regularly to:

  • 若要建立重複 UPN 或 Spn 嘗試找出identify attempts to create duplicate UPN or SPNs
  • 找出已包含重複的物件identify objects that already contain duplicates

8648 = 」 操作失敗,因為 UPN 值提供除了日修改不獨特的樹系。 」8648 = "The operation failed because UPN value provided for addition/modification is not unique forest-wide."

SetSPN:SetSPN:

Setspn.exe 有重複 SPN 偵測建以將它自 Windows Server 2008 發行之後,使用「-S]選項。Setspn.exe has had duplicate SPN detection built-in to it since the Windows Server 2008 release when using the "-S" option. 您可以使用略過重複 SPN 偵測到「-A]不過選項。You can bypass the duplicate SPN detection by using the "-A" option however. 針對 Windows Server 2012 R2 DC SetSPN 使用-選項時,會被封鎖重複 SPN 建立。Creation of a duplicate SPN is blocked when targeting a Windows Server 2012 R2 DC using SetSPN with the -A option. 是一個使用的-S 選項時,顯示一樣的顯示的錯誤訊息: 「 重複 SPN 找到,中止作業 」 !The error message displayed is the same as the one displayed when using the -S option: "Duplicate SPN found, aborting operation!"

ADSIEDIT:ADSIEDIT:

Operation failed. Error code: 0x21c8  
The operation failed because UPN value provided for addition/modification is not unique forest-wide.  
000021C8: AtrErr: DSID-03200BBA, #1: 0: 000021C8: DSID-03200BBA, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90290 (userPrincipalName)  

SPN 和 UPN 唯一性

圖 7 圖 \\ * 封鎖重複 UPN 加入時顯示 ADSIEdit 阿拉伯文 4 錯誤訊息Figure SEQ Figure \* ARABIC 4 Error message displayed in ADSIEdit when addition of duplicate UPN is blocked

Windows PowerShellWindows PowerShell

Windows Server 2012 R2:Windows Server 2012 R2:

SPN 和 UPN 唯一性

針對 Windows Server 2012 R2 俠 Server 2012 PS 執行:PS running from Server 2012 targeting a Windows Server 2012 R2 DC:

SPN 和 UPN 唯一性

針對 Windows Server 2012 R2 俠 Windows Server 2012 上執行 DSAC.exe:DSAC.exe running on Windows Server 2012 targeting a Windows Server 2012 R2 DC:

SPN 和 UPN 唯一性

圖 7 圖 \\ * 阿拉伯文 5 DSAC 使用者建立錯誤上非-Windows Server 2012 R2 時針對 Windows Server 2012 R2 俠Figure SEQ Figure \* ARABIC 5 DSAC user creation error on non-Windows Server 2012 R2 while targeting Windows Server 2012 R2 DC

SPN 和 UPN 唯一性

圖 7 圖 \\ * 阿拉伯文 6 DSAC 使用者修改錯誤上非-Windows Server 2012 R2 時針對 Windows Server 2012 R2 俠Figure SEQ Figure \* ARABIC 6 DSAC user modification error on non-Windows Server 2012 R2 while targeting Windows Server 2012 R2 DC

還原的物件,會導致重複 UPN 失敗:Restore of an object that would result in a duplicate UPN fails:

SPN 和 UPN 唯一性

SPN 和 UPN 唯一性

事件不登入物件失敗而重複 UPN 還原時日 SPN。No event is logged when an object fails to restore because of a duplicate UPN / SPN.

必須順序還原的唯一 UPN 的物件。The UPN of the object must be unique in order for it to be restored.

  1. 找出 UPN 在於物件的資源回收筒Identify the UPN that exists on the object in the Recycle Bin

  2. 找出有相同的值所有物件Identify all objects that have the same value

  3. 移除重複 UPN(s)Remove the duplicate UPN(s)

找出發生衝突 UPN 刪除的 objectUsing repadmin.exe 上Identify the conflicting UPN on the deleted objectUsing repadmin.exe

Repadmin /showattr DCName "DN of deleted objects container" /subtree /filter:"(msDS-LastKnownRDN=<NAME>)" /deleted /atts:userprincipalname  
repadmin /showattr DCName "CN=Deleted Objects,DC=blue,DC=contoso,DC=com" /subtree /filter:"(msDS-LastKnownRDN=Dianne Hunt2)" /deleted /atts:userprincipalname  

C:\>repadmin /showattr winbluedc1 "cn=deleted objects,dc=blue,dc=contoso,dc=com" /subtree /filter:"(msds-lastknownrdn=Dianne Hunt2)" /deleted /atts:userprincipalname  
DN: CN=Dianne Hunt2\0ADEL:dd3ab8a4-3005-4f2f-814f-d6fc54a1a1c0,CN=Deleted Object  
s,DC=blue,DC=contoso,DC=com  
    1> userPrincipalName: dhunt@blue.contoso.com  

使用的相同 UPN 找出所有物件: 使用 Repadmin.exeTo identify all objects with the same UPN:Using Repadmin.exe

repadmin /showattr WinBlueDC1 "DC=blue,DC=contoso,DC=com" /subtree /filter:"(userPrincipalName=dhunt@blue.contoso.com)" /deleted /atts:DN  

C:\>repadmin /showattr winbluedc1 "dc=blue,dc=contoso,dc=com" /subtree /filter:"(userPrincipalName=dhunt@blue.contoso.com)" /deleted /atts:DN  
DN: CN=Administrator,CN=Users,DC=blue,DC=contoso,DC=com  
DN: CN=xouser1,CN=Users,DC=blue,DC=contoso,DC=com  
DN: CN=xouser10,CN=Users,DC=blue,DC=contoso,DC=com  
DN: CN=xouser100,CN=Users,DC=blue,DC=contoso,DC=com  
DN: CN=Dianne Hunt,OU=Marketing,DC=blue,DC=contoso,DC=com  
DN: CN=Dianne Hunt2\0ADEL:dd3ab8a4-3005-4f2f-814f-d6fc54a1a1c0,CN=Deleted Objects,DC=blue,DC=contoso,DC=com  

提示

未記載先前/ 刪除中 repadmin.exe 參數用來包含刪除的物件結果集中The previously undocumented /deleted parameter in repadmin.exe is used to include deleted objects in the result set

  • Active Directory 管理中心開放並瀏覽至全域搜尋Open Active Directory Administrative Center and navigate to Global Search

  • 選取 [轉換成 LDAP按鈕Select the Convert to LDAP radio button

  • 輸入* (userPrincipalName =ConflictingUPN) * *Type **(userPrincipalName=ConflictingUPN)*

    • 取代ConflictingUPN的實際 UPN 衝突中Replace ConflictingUPN with the actual UPN that is in conflict
  • 選取 [適用於Select Apply

SPN 和 UPN 唯一性

使用 Windows PowerShellUsing Windows PowerShell

Get-ADObject -LdapFilter "(userPrincipalName=dhunt@blue.contoso.com)" -IncludeDeletedObjects -SearchBase "DC=blue,DC=Contoso,DC=com" -SearchScope Subtree -Server winbluedc1.blue.contoso.com  

SPN 和 UPN 唯一性

如果需要還原物件,您將需要移除重複 Upn 其他物件。If the object needs to be restored, you will need remove the duplicate UPNs from the other objects. 只有一個物件,很簡單 ADSIEdit 移除重複使用。For only one object, it is simple enough to use ADSIEdit to remove the duplicate. 如果有多個物件的重複項目,Windows PowerShell 可能會使用更好的工具。If there are multiple objects with duplicates, then Windows PowerShell might be the better tool to use.

若要使用 Windows PowerShell UserPrincipalName 屬性出空值:To null out the UserPrincipalName attribute using Windows PowerShell:

SPN 和 UPN 唯一性

注意

此程序僅會移除重複 UPN 單一值屬性,是 userPrincipalName 屬性。The userPrincipalName attribute is single-valued attribute, so this procedure will only remove the duplicate UPN.

重複 SPNDuplicate SPN

SPN 和 UPN 唯一性

圖 7 圖 \\ * 封鎖重複 SPN 加入時顯示 ADSIEdit 阿拉伯文 8 錯誤訊息Figure SEQ Figure \* ARABIC 8 Error message displayed in ADSIEdit when addition of duplicate SPN is blocked

事件登入是 Directory 服務登入ActiveDirectory_DomainService 263 2974年Logged in the Directory Services event log is an ActiveDirectory_DomainService event ID 2974.

Operation failed. Error code: 0x21c7  
The operation failed   
The attribute value provided is not unique in the forest or partition. Attribute:  
servicePrincipalName Value=<SPN>  
<Object DN> Winerror: 8467  

SPN 和 UPN 唯一性

圖 7 圖 \\ * 阿拉伯文封鎖建立重複 SPN 時登入的 9 錯誤Figure SEQ Figure \* ARABIC 9 Error logged when creation of duplicate SPN is blocked

工作流程Workflow

  • 如果俠 = GCIf DC == GC

    • 需要不 offbox 通話,可以在本機滿意查詢No offbox call required, query can be satisfied locally

    • UPN 案例UPN case

      • 查詢本機樹系 UPN 索引提供 UPN (userPrincipalName; 全球索引)Query local forest-wide UPN index for supplied UPN (userPrincipalName; a global index)

        • 如果退貨項目 = 0-> 寫入進行If entries returned == 0 -> write proceeds

        • 如果退貨項目 ! = 0-> 寫入失敗If entries returned !=0 -> write fails

          • 事件登入Event logged

          • 也會傳回延伸的錯誤:Also returns extended error:

            • 8648:8648:

              ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FORESTERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST

    • SPN 案例SPN case

      • 查詢本機樹系 SPN 索引提供 SPN (servicePrincipalName; 全球索引)Query local forest-wide SPN index for supplied SPN (servicePrincipalName; a global index)

        • 如果退貨項目 = 0-> 寫入進行If entries returned == 0 -> write proceeds

        • 如果退貨項目 ! = 0-> 寫入失敗If entries returned !=0 -> write fails

          • 事件登入Event logged

          • 也會傳回延伸的錯誤:Also returns extended error:

            • 8647:8647:

              ERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FORESTERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FOREST

  • 如果俠 ! = GCIf DC != GC

    • Offbox 通話理想,而不是重要了,也就是此最佳唯一性核取Offbox call desirable but not critical, i.e. this is a best-effort uniqueness check

      • 如果找不到 GC,進行針對本機 DIT 核取Check proceeds against local DIT only if GC cannot be located

      • 事件指出,例如登入Event logged to indicate such

    • UPN 案例UPN case

      • 提交接近 GC LDAP 查詢嗎?Submit LDAP query against closest GC ? 查詢 GC 的樹系 UPN 索引提供 UPN (userPrincipalName; 全球索引)query GC's forest-wide UPN index for supplied UPN (userPrincipalName; a global index)

        • 如果退貨項目 = 0-> 寫入進行If entries returned == 0 -> write proceeds

        • 如果退貨項目 ! = 0-> 寫入失敗If entries returned !=0 -> write fails

          • 事件登入Event logged

          • 也會傳回延伸的錯誤:Also returns extended error:

            • 8648:8648:

              ERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FORESTERROR_DS_UPN_VALUE_NOT_UNIQUE_IN_FOREST

    • SPN 案例SPN case

      • 提交接近 GC LDAP 查詢嗎?Submit LDAP query against closest GC ? 查詢 GC 的樹系 SPN 索引提供 SPN (servicePrincipalName; 全球索引)query GC's forest-wide SPN index for supplied SPN (servicePrincipalName; a global index)

        • 如果退貨項目 = 0-> 寫入進行If entries returned == 0 -> write proceeds

        • 如果退貨項目 ! = 0-> 寫入失敗If entries returned !=0 -> write fails

          • 事件登入Event logged

          • 也會傳回延伸的錯誤:Also returns extended error:

            • 8647:8647:

              ERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FORESTERROR_DS_SPN_VALUE_NOT_UNIQUE_IN_FOREST

重新動畫刪除的物件時,已唯一 SPN 或 UPN 的值。When deleted objects are re-animated, SPN or UPN values present are checked for uniqueness. 如果找到有重複,此要求將會失敗。If a duplicate is found, the request fails.

  • DNS 主機名稱坡 Account 名稱等等,例如的某些屬性對時進行修改,Spn 已隨之更新。For certain attribute changes like DNS Host Name, SAM Account Name etc, when the modification is made, SPNs are updated accordingly. 在 [處理程序,過時 Spn 刪除及 Spn 新的建構新增至資料庫。In the process, the obsolete SPNs are deleted and new SPNs are constructed and added to the database. 針對此路徑觸發必要屬性修改︰The requisite attribute modifications against which this path is triggered are:

    • ATT_DNS_HOST_NAMEATT_DNS_HOST_NAME

    • ATT_MS_DS_ADDITIONAL_DNS_HOST_NAMEATT_MS_DS_ADDITIONAL_DNS_HOST_NAME

    • ATT_SAM_ACCOUNT_NAMEATT_SAM_ACCOUNT_NAME

    • ATT_MS_DS_ADDITIONAL_SAM_ACCOUNT_NAMEATT_MS_DS_ADDITIONAL_SAM_ACCOUNT_NAME

    • ATT_SERVER_REFERENCE_BLATT_SERVER_REFERENCE_BL

    • ATT_USER_ACCOUNT_CONTROLATT_USER_ACCOUNT_CONTROL

如果任何新 SPN 值的重複,我們將會失敗修改。If any of the new SPN value is a duplicate, we fail the modification. 上述清單中,重要屬性很 ATT_DNS_HOST_NAME (電腦名稱) 和 ATT_SAM_ACCOUNT_NAME (坡 Account 名稱)。Of the above list, the important attributes are ATT_DNS_HOST_NAME (Machine name) and ATT_SAM_ACCOUNT_NAME (SAM Account Name).

試試看: 探索 SPN 和 UPN 唯一性Try This: Exploring SPN and UPN uniqueness

這是數個的第一個 」請嘗試「 單元活動。This is the first of several "Try This" activities in the module. 不是另一個實驗室指南這個模組。There is not a separate lab guide for this module. 請嘗試活動的基本上任意活動,可讓您瀏覽課程資料實驗室環境中的。The Try This activities are essentially free-form activities that allow you explore the lesson material in the lab environment. 您有下列命令提示字元中,或前往關閉指令碼的選項,並會使用您自己的活動。You have the option of following the prompt or going off script and come up with your own activity.

注意

  • 這是數個的第一個 」請嘗試「 活動。This is the first of several "Try This" activities.
  • 不是另一個實驗室指南這個模組。There is not a separate lab guide for this module.
  • 請嘗試活動的基本上任意活動,可讓您瀏覽課程資料實驗室環境中的。The Try This activities are essentially free-form activities that allow you explore the lesson material in the lab environment.
  • 您有下列命令提示字元中,或前往關閉指令碼的選項,並會使用您自己的活動。You have the option of following the prompt or going off script and come up with your own activity.
  • 並非所有的區段有時請嘗試命令提示字元中,您都仍然來探索課程 content 實驗室在適當的位置。While not all sections have a Try This prompt, you are still encouraged to explore the lesson content in the lab where appropriate.

實驗 SPN 和 UPN 唯一性。Experiment with SPN and UPN uniqueness. 這些提示,請依照下列或自己完成。Follow these prompts, or complete your own.

  1. 建立新的使用者使用 UPNCreate new users with UPN

  2. 建立帳號 Spn 使用Create accounts with SPNs

  3. 請使用已預先定義 UPN 建立新的使用者,或變更現有 account UPN。Either create a new user with a UPN already previously defined or change an existing account's UPN. 執行相同的另一個 account 上 SPNDo the same for a SPN on another account

    1. 填入 UPN 使用中的現有的使用者帳號Populate an existing user account with a UPN already in use

      1. 使用 PowerShell、 ADSIEDIT 或 Active Directory 系統管理員中心 (DSAC.exe)Using PowerShell, ADSIEDIT, or Active Directory Administrative Center (DSAC.exe)
    2. 填入 SPN 使用中的現有 accountPopulate an existing account with an SPN already in use

      1. 使用 Windows PowerShell、 ADSIEDIT 或 SetSPNUsing Windows PowerShell, ADSIEDIT, or SetSPN
  4. 觀察錯誤Observe the errors

選擇Optionally

  1. 教室講師驗證是要確定] * AD 資源回收筒] 中 Active Directory 管理中心。Verify with the classroom instructor that it is ok to enable the *AD Recycle Bin in Active Directory Administrative Center. 若是如此,請移至下一個步驟。If so, move on to the next step.

  2. 填入使用者帳號 UPNPopulate the UPN on a user account

  3. Delete accountDelete the account

  4. 填入刪除 account 做的相同 UPN 使用不同的帳號Populate a different account with the same UPN as the deleted account

  5. 嘗試使用 [資源回收筒 GUI 還原 accountAttempt to use the Recycle Bin GUI to restore the account

  6. 請想像您只要呈現給您在上一個步驟中看到此錯誤。Imagine you have just been presented with the error you see in the previous step. (和不需要您執行的步驟歷史)您的目標是完成的 account 還原。(and don't have a history of the steps you just performed)Your goal is to complete the restore of the account. 查看例如步驟活頁簿。See the workbook for example steps.