Quick way to finding duplicate SPN's

Reading Time: < 1 minute

I know that Kerberos delegation can be a pain in the A$$ one of the first steps is to see if the user/administrator has registered a Service Principle Name (SPN) if he has and Kerberos delegation is still not working then check if he has duplicate entries for that SPN entry. A quick and easy way is to use the following command:

  1. Click “Start”
  2. Click “Run”
  3. Type “CMD”
  4. Type “CD \”
  5. Type the following


ldifde -s <GC_Server_Name> -f c:\<My_SPN_Dump_File>.txt -d "" -r "(serviceprincipalname=host/<Machine_Name>)" -p subtree -t 3268 -l dn,serviceprinciplename

Replace the following with your environments details:

  • <GC_Server_Name>
  • <My_SPN_Dump_File>.
  • <Machine_Name>


Happy hunting