Check the SPN is Mapped to One User Only

There should ONLY be ONE user mapped to a given SPN. If you have two or more different users mapped to a given SPN record Kerberos authentication will ALWAYS FAIL. For more information see the following blog entry

You can use the queryspn.vbs script from to quickly check that SPN is only mapped to one user account. For example, if we search for SPN HTTP/proxy.diladele.lan@DILADELE.LAN the correct output will be one entry only:

c:\cscript queryspn.vbs HTTP/proxy*
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

Class: user
User Logon: squid
-- HTTP/proxy.diladele.lan