1
Vote

SearchForDuplicateAttributeData detecting duplicate SPNs that do not exist

description

When running: SearchForDuplicateAttributeData.exe /AttributeName:servicePrincipalName /UseGC /TargetDC:dc201.work.intel.com the query results show duplicate CIFS and HOSTS entries. Those entries don't exist in the SPN attribute:
SearchForDuplicateAttributeData.exe /AttributeName:servicePrincipalName /UseGC /TargetDC:dc201.work.intel.com
 
host/userx-mobl.work.com: 2
cn=userx-mobl,ou=mobile,ou=production,ou=windows 7,ou=it client,ou=resources,dc=work,dc=com - 7/3/2012 4:10:38 PM
cn=userx-mobl,ou=management controllers,ou=resources,dc=work,dc=com - 5/7/2012 3:21:34 PM
cifs/userx-mobl.amr.corp.intel.com: 2
cn=userx-mobl,ou=mobile,ou=production,ou=windows 7,ou=it client,ou=resources,dc=work,dc=com - 7/3/2012 4:10:38 PM
cn=userx-mobl,ou=management controllers,ou=resources,dc=work,dc=com - 5/7/2012 3:21:34 PM
Dn: cn=userx-mobl,ou=management controllers,ou=resources,dc=work,dc=com
dNSHostName: userx-mobl.work.com;
sAMAccountName: userx-mobl$iME;
servicePrincipalName (4): HTTP/userx-mobl.work.com:16995; HTTP/userx-mobl.work.com:16994; HTTP/userx-mobl.work.com:16993; HTTP/userx-mobl.work.com:16992;

 

Dn: cn=userx-mobl,ou=mobile,ou=production,ou=windows 7,ou=it client,ou=resources,dc=work,dc=com
dNSHostName: userx-mobl.work.com;
sAMAccountName: userx-mobl$;
servicePrincipalName (7): AcronisAgent/userx-mobl.work.com; WSMAN/userx-mobl.work.com; WSMAN/userx-mobl; RestrictedKrbHost/userx-mobl; RestrictedKrbHost/userx-mobl.work.com; HOST/userx-mobl.work.com; HOST/userx-mobl;
 
Version: 1.0.4509.16270
Command Line Switch: /AttributeName:servicePrincipalName
Command Line Switch: /UseGC
Command Line Switch: /TargetDC:dc201.work.com

comments

kenbrumf wrote Jul 5, 2012 at 6:27 PM

Reference: http://technet.microsoft.com/en-us/library/cc772815(WS.10,printer).aspx, the section titled "Built-in SPNs Recognized for Computer Accounts".

In short AD "assumes" that these SPNs exist. This is why searchForDuplicateAttributeData also "assumes" that each machine account has this. Assigning these SPNs elsewhere will break Kerberos and generate a KDC 11 in the System Log of the DC attempting the authentication. As such, in this case, either computer account "cn=userx-mobl,ou=management controllers" needs to be deleted, or "cn=userx-mobl,ou=mobile,ou=production" needs to be deleted.

cudachip wrote Jul 5, 2012 at 10:01 PM

Even though the SPN for HTTP (in the given example) is in the spnmappings attribute, as long as that specific HTTP SPN is unique in the environment, Kerberos will still work. Kerberos will resolve the targeted HTTP SPN directly before it resolves the HOST alias. We've verified this functionality with Microsoft as a supported configuration. AD joined Samba services also rely on this functionality with the HOST SPN associated with one computer object and a similarly named CIFS SPN associated with the other computer object (host/sambaserver1.site.work.com and cifs/sambaserver1.site.work.com for example).
The Microsoft tool SETSPN can perform a similar forest wide search to SearchForDuplicateAttributeData (setspn -X -F -P) and it appears to take into account the unique spnmappings names support for Kerberos. But we much prefer your tool for our checks since it's much faster and much more configurable than the SETSPN check.

kenbrumf wrote Aug 17, 2012 at 12:32 PM

My apologies for taking so long to get back to you, it's been a busy summer. I looked into this a little bit and realized that this has to do with Intel AMT functionality and these are user accounts, not computer accounts. In addition to your points I made some simplistic assumptions that aren't panning out well here. I'll happily fix this, but it is going to take me a little bit to carve out some time to refresh myself on my code and some of the subtleties of SPNs so that I can fix this properly.

Thank you for bringing this to my attention.

wrote Feb 14, 2013 at 7:29 PM