When a domain controller detects duplicate service principal names (SPN), authentication may fall back from Kerberos to the vulnerable authentication protocol NTLM.
What is a Service Principal Name?
Service principal names (SPN) is used by Kerberos to link a service to a service account. This allows a user to access a service without knowing the service account used. For example, SQL uses SPNs. For more in-depth information on SPNs go to Service Principal Names - Win32 apps | Microsoft Docs.
What is NTLM?
NTLM is a challenge/response authentication protocol that has been surpassed by Kerberos but is still in production environments. For more information on NTLM, visit Microsoft NTLM - Win32 apps | Microsoft Docs. NTLM is vulnerable to the following (not limiting):
NTLM relay attacks - A threat actor obtains hashed communication (person in the middle), and relay validated authentication requests to gain unauthorized access to domain systems.
Pass the hash - A threat actor obtains the users hashed password and uses this to gain access to domain systems.
Brute force - NTLM uses MD4 to create hashes. MD4 is severely compromised and can be cracked easily.
Vulnerability Discovery
Option #1:
On domain controllers through the event viewer, search for event ID 11 in the system log. This will show you that duplicate SPNs are detected in the environment.
Option #2 (recommended):
Run the following command from a command prompt run as an administrator.
Vulnerability Mitigation
To mitigate this vulnerability, remove the duplicate SPN.
Determine which account has the incorrect SPN.
Open active directory users and computers.
Click on View | Advanced Features.
Open the account that has the SPN you want to remove.
Click on the "Attribute Editor" tab. If you don't see this tab, you are probably using search to find this account. Instead, navigate to the OU that holds this account and open the account properties there.
Find the attribute named "servicePrincipalName" and remove the offending entry.