Check the SPN is Mapped to One User Only¶

There should ONLY be ONE user mapped to a given SPN. If you have two or more different users mapped to a given SPN record Kerberos authentication will ALWAYS FAIL. For more information see the following blog entry

You can use the queryspn.vbs script from to quickly check that SPN is only mapped to one user account. For example, if we search for SPN HTTP/proxy.diladele.lan@DILADELE.LAN the correct output will be one entry only:

c:\cscript queryspn.vbs HTTP/proxy*
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

Class: user
User Logon: squid
-- HTTP/proxy.diladele.lan

If you have more than one user mapped to a given SPN you can remove the additional mappings by running the following command in the administrator’s command prompt on your domain controller. Please specify your own SPN and user name of course!

setspn -D HTTP/proxy.example.lan squid