3

I have duplicate SPNs which are threatening to downgrade the authentication from Kerberos to NTLM showing in the event viewer. How can I safely remove the duplicate SPN's for a SQL account?

I have verified these duplicates using setspn -X. The SQL server is a virtual server running on a physical server and I wonder if this has anything to do with the duplicate accounts.

Both are running Server 2012.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
user182599
  • 31
  • 1
  • 2

1 Answers1

2

First you want to list the SPNs to identify the duplicate SPN:

 setspn -L <server>

Then to remove the duplicate SPN:

 setspn -d service/name hostname

Service/name is the SPN that is to be removed and hostname is the actual host name of the computer.

To be safe, make note of the SPN that you're deleting in case you remove the wrong one. In the off chance that you do delete the wrong one, you can re-add it:

setspn –A service/name hostname
colealtdelete
  • 6,009
  • 1
  • 29
  • 34
  • 2
    Just a tip: You don't have to guess which SPN you need to delete. If SQL is using a domain user account, then that is the SPN you want to keep. If it's using a Local System or Network Service account, then you keep the SPN that indicates the computer account. – Ryan Ries Jul 22 '13 at 20:12
  • :-) What an awesome write up. What really made my day was "Just a tip" by Ryan Ries. I have been looking through so many articles and sites just for that simple answer but no one directly answered that question "How do i know which one to Delete" – Rajen Pillay Jan 20 '17 at 13:38