Can I share one SPN between two service accounts?

Question

I am running IIS and SQL Reporting Server on the same server. IIS runs as d\acct1 and SSRS is running as d\acct2.

Initially, I registered an SPN HTTP/server.d.com for both d\acct1 and d\acct2 and configured both for unconstrained kerberos delegation in Active Directory.

This configuration broke kerberos because there were duplicate SPNs for HTTP/server.d.com.

If I delete the SPN for SSRS, IIS works. If I delete the SPN for IIS, SSRS works.

Is there a way to share an SPN between two different service accounts that run on the same server such that they do not create a duplicate SPN?

Or, must I create two A records in active directory for iis.server.d.com and reports.server.d.com and use host headers to keep the two aliases straight inside each respective service?

Answer 1

Research into how Kerberos delegation works shows that no, you cannot share SPNs between service accounts on the same box.

I solved the problem by provisioning a second IP address for my server and mapping IIS to one IP address and SSRS to the other.

I then created two new A records in DNS (don't use C records, they are unreliable with Kerberos delegation) to point to the services. iis.server.d.com points to the IIS IP address and ssrs.server.d.com points to the SSRS IP.

Lastly, I deleted all the SPNs for both d\acct1 and d\acct2 and reassigned the SPNs as HTTP/iis.server.d.com and HTTP/ssrs.server.d.com respectively.

Additionally, I find that editing SPNs using ADSIEdit far easier than using the setspn command line.