Applies to: All versions of Centrify DirectControl on all platforms
Problem:
There are two places where this error may be shown:
-
adjoin fails with the following output:
Error: One or more of the following SPNs already associated with other account in the forest
host/
host/machine1
ftp/machine1.intra.yourcompany.com
ftp/machine1
Accounts that contain same SPNs are:
CN=machine2,OU=Servers,OU=Centrify,DC=intra,DC=yourcompany,DC=com
CN=machine3,OU=Servers,OU=Centrify,DC=intra,DC=yourcompany,DC=com
CN=machine4istprod1,OU=Servers,OU=Centrify,DC=intra,DC=yourcompany,DC=com
Each SPN must be unique across the forest. Please make sure the SPNs listed above are unique across the forest before joining.
Join to domain 'intra.yourcompany.com', zone 'machine1' failed.
-
adclient is in "Connected" mode but AD users still cannot login to the system.
The following message may be seen in the centrifydc.log file:
-------------------------------------------------------------------------------------------------------------------------------------
base.aduser Can't find service host/computer.lab.local. Run adinfo --diag to check for multiple computer accounts with the same SPN. Check that the local computer's Active Directory object's servicePrincipalName value has not been deleted. Check for replication errors.
-------------------------------------------------------------------------------------------------------------------------------------
Cause:
There are some computer objects in AD which have duplicated ServicePrincipleNames (SPN).
Resolution:
Note: If the machine is not yet joined to AD, go straight to Step 2, otherwise start from Step 1.
- Run the following ldapsearch command as root on Unix/Linux to find out the computer objects with duplicate ServicePrincipleNames (SPNs):
/usr/share/centrifydc/bin/ldapsearch -m -Q -LLL -H "ldap://" -b <Base_DN> '(servicePrincipalName=*/<Hostname>*)' dn serviceprincipalname
(Substitute <Base_DN> with the Distinguished name (DN) of domain and <Hostname> with the name of computer account)
For example:
/usr/share/centrifydc/bin/ldapsearch -m -Q -LLL -H "ldap://" -b "dc=lab,dc=local" "(serviceprincipalname=*/computer*)" dn serviceprincipalname
- Find the computer objects with the duplicate SPNs from the ldapsearch or adjoin result.
Once the information is obtained, there are two options to fix the issue:
- Option 1:
- Run ADSIEdit.msc and navigate to the computer object with the duplicated SPN.
- Right-click and select Properties.
- Double-click on the "servicePrincipalName" attribute
- Remove the duplicate SPN.
- Option 2:
- Use the setspn command on the domain controller to remove the duplicated SPN from the corresponding computer object.
-
For example, to use the setspn command to remove the SPN "http/computer" from the computer object "Workstation":
setspn -D http/computer Workstation