How to remove duplicate SPN, ADFS after migration

OZ 226 Reputation points
2024-01-03T17:00:55.2733333+00:00

I can’t figure out where the same SPNs are. And what needs to be removed. And how to remove it.

The problem is this. After migrating the ADFS server (converting a virtual machine from hyperv to vmware), the Active Directory Federation Service stopped running. It turns out that the old gMSA sevice account no longer works. If I start the service from my admin account, then the service starts. I decided to create another gMSA to run the ADFS service. But now the service is citing a different error. I found the Microsoft manual that you need to configure SPN as well. I enter the command setspn -a host/ADFS01.corp.mnivea.com adfs2 and the error comes up that Duplicate SPN found, aborting operation! I don’t understand where the duplicates are and what needs to be removed?

PS C:\Windows\system32> setspn -a host/ADFS01.corp.mnivea.com adfs_srv2
Checking domain DC=corp,DC=mnivea,DC=com
CN=ADFS01,OU=Servers,DC=corp,DC=mnivea,DC=com
	WSMAN/ADFS01.corp.mnivea.com
	WSMAN/ADFS01
	ldap/ADFS01.corp.mnivea.com
	ldap/ADFS01.corp.mnivea.com:389
	ldap/ADFS01
	ldap/ADFS01:389
	E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/ADFS01.corp.mnivea.com:389
	E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/ADFS01:389
	ldap/ADFS01.corp.mnivea.com:50000
	ldap/ADFS01:50000
	E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/ADFS01.corp.mnivea.com:50000
	E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/ADFS01:50000
	TERMSRV/ADFS01.corp.mnivea.com
	TERMSRV/ADFS01
	RestrictedKrbHost/ADFS01
	HOST/ADFS01
	RestrictedKrbHost/ADFS01.corp.mnivea.com
	HOST/ADFS01.corp.mnivea.com

Duplicate SPN found, aborting operation!
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,526 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,155 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,219 questions
Accepted answer
  1. Thameur-BOURBITA 32,621 Reputation points
    2024-01-03T17:39:53.4933333+00:00

    Hi @OZ

    If ADFS01 is the server name, by defaut the SPN host/ADFS01.corp.mnivea.com is acreated on computer object ADFS01. the HOST SPN is added automatically on each computer object when you join a server to domain.

    You can use the following command to identify where the SPN is alreday created :

    setspn -q host/ADFS01.corp.mnivea.com

    To avoid this conflict you should use the ADFS cluster name instead of ADFS server name as mentioned in this link :

    To set the SPN of the service account

    Please don't forget to accept helpful answer

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest