One reason why Kerberos delegation wont work.

Reading Time: 2 minutes

Doing a lot of work with Kerberos delegation over the past few years and I have encountered many reasons why the delegation won’t work. One reasons so often not thought of or left out is duplicate SPN entries.

Now I know its easy to say who would add a duplicate entry but when administrators get desperate, and delegation is not working people start adding SPN’s for all kinds of things.

In the case I will explain the administrator added a SPN for the specified service (HTTP) for both the web server and the actual account that would be running as the identity in the Application Pool of IIS 6.0. Thus creating a duplicate entry for the KDC and therefore it would not allow delegation to happen.

I was called in to fix this and my first impression was that there was something wrong with the SPN, so I went about checking if the SPN was registered for the account and it sure was. Then I do the duplicate check which I have learnt is a must have.

I used LDP (my fav. Tool), bound to the root domain and used the following LDAP filter to list all objects with a specific HTTP/<User_Name> that I suspected had a duplicate entry in the directory.

LDP -> Connection -> Connect -> “ServerIn Root Domain” , 389

Connection -> Bind -> user administrator ….

View -> Tree ->DomainDN (Dc=Domain,dc=Com)

Right click on Domain DN -> Search

Base DN = Dc=Domain,dc=Com

Filter = (&(objectCategory=*)(servicePrincipalName=HTTP/<User_Name>))

Why did I use ObjectCategory=* (where * = Wildcard) well cause many different types of objects can contain ServicePrincipalName’s and who knows which one of those objects the administrator set a HTTP SPN for.





ldap_search_s(ld, "DC=Domain,DC=Com", 2, "(&(objectCategory=*)(servicePrincipalName=HTTP/<User_Name>))", attrList,  0, &msg)

Getting 2 entries:

>> Dn: CN=WebServer1; OU=Computers; DC=domain; DC=com;

4> servicePrincipalName: HTTP/<User_Name>; HTTP/siteq; HOST/ WebServer1; HOST/;

>> Dn: CN=NetUser SharePoint; CN=Users; DC=domain; DC=com;

4> servicePrincipalName: HTTP/<User_Name>; HTTP/; HTTP/; HTTP/WebServer1;


Bingo we found the duplicate entry, he added a SPN for the Web server, and there is the duplicate.

So now to remove it, you can either use LDP or ADSIEDIT, I personally prefer LDP so:

(**Note you still connected from doing the search above)

Allocate the webserver – WebServer1, which is easy cause we have its DN : CN=WebServer1; OU=Computers; DC=domain; DC=com

Right Click on entry(CN=WebServer1; OU=Computers; DC=domain; DC=com)

-> Modify

-> Attribute: servicePrincipalName

-> Values: HTTP/<User_Name>

-> Operation: Delete

-> click “enter button”

-> click “Run”



***Call Modify…

ldap_modify_s(ld, :’CN=WebServer1; OU=Computers; DC=domain; DC=com ',[1] attrs);

Modified ": CN=WebServer1; OU=Computers; DC=domain; DC=com".



Bingo entry sorted, restarted IIS on the webserver, checked that the application pool account was specified as the correct account, checked the delegation dialog tabs in ADUC and we where all set.

Tested the application that required delegation and bingo, delegation working all nice and smoothly.

**NOTE:  The organization had MOM 2005 running on the network, they failed to monitor the events on the domain controllers. The events had:


Domain: Domain
Computer: MyDomainController
Time: 2005/11/21 09:54:26 AM
Type: Error
Provider Name: System
Event Number: 11
Provider Type: Event Log
Source: KDC
Raises Alert: False
Event Id: 74ed497b-58ce-4d1e-9e7e-cba54a03829e

  1. Value = HTTP/<User_Name>

Moral of the story CHECK YOUR EVENT LOGS ON YOUR DC’s!!! Also if you note value 1 it would have saved me time figuring out which SPN user to look for as MOM tells you.