Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1215: Error: One or more of the following SPNs already associated with other account in the forest

Centrify DirectControl ,   Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:02 AM

Applies to: All versions of Centrify DirectControl on all platforms
 
Problem:
 
There are two places where this error may be shown:
  1. adjoin fails with the following output:
     
    Error: One or more of the following SPNs already associated with other account in the forest
     
    host/
    host/machine1
    ftp/machine1.intra.yourcompany.com
    ftp/machine1
     
     
    Accounts that contain same SPNs are:
     
    CN=machine2,OU=Servers,OU=Centrify,DC=intra,DC=yourcompany,DC=com
    CN=machine3,OU=Servers,OU=Centrify,DC=intra,DC=yourcompany,DC=com
    CN=machine4istprod1,OU=Servers,OU=Centrify,DC=intra,DC=yourcompany,DC=com
     
    Each SPN must be unique across the forest. Please make sure the SPNs listed above are unique across the forest before joining.
     
    Join to domain 'intra.yourcompany.com', zone 'machine1' failed.


     
  2. adclient is in "Connected" mode but AD users still cannot login to the system.
     
    The following message may be seen in the centrifydc.log file:
     
    -------------------------------------------------------------------------------------------------------------------------------------
    base.aduser Can't find service host/computer.lab.local.  Run adinfo --diag to check for multiple computer accounts with the same SPN. Check that the local computer's Active Directory object's servicePrincipalName value has not been deleted. Check for replication errors.
    -------------------------------------------------------------------------------------------------------------------------------------
     
 
Cause:
 
There are some computer objects in AD which have duplicated ServicePrincipleNames (SPN).
 

Resolution:
 
Note: If the machine is not yet joined to AD, go straight to Step 2, otherwise start from Step 1.
  1. Run the following ldapsearch command as root on Unix/Linux to find out the computer objects with duplicate ServicePrincipleNames (SPNs):

    /usr/share/centrifydc/bin/ldapsearch -m -Q -LLL -H "ldap://" -b <Base_DN> '(servicePrincipalName=*/<Hostname>*)' dn serviceprincipalname

    (Substitute <Base_DN> with the Distinguished name (DN) of domain and <Hostname> with the name of computer account)
     
    For example:
    /usr/share/centrifydc/bin/ldapsearch -m -Q -LLL -H "ldap://" -b "dc=lab,dc=local" "(serviceprincipalname=*/computer*)" dn serviceprincipalname

     
  2. Find the computer objects with the duplicate SPNs from the ldapsearch or adjoin result.
    Once the information is obtained, there are two options to fix the issue:
    • Option 1:
      1. Run ADSIEdit.msc and navigate to the computer object with the duplicated SPN.
      2. Right-click and select Properties. 
      3. Double-click on the "servicePrincipalName" attribute
      4. Remove the duplicate SPN.
         
    • Option 2:
      • Use the setspn command on the domain controller to remove the duplicated SPN from the corresponding computer object.
      • For example, to use the setspn command to remove the SPN "http/computer" from the computer object "Workstation":
         
        setspn -D http/computer Workstation
         
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.