Duplicate SPN Active Directory: Finding and Fixing a Kerberos Security Vulnerability with PowerShell

Duplicate SPN Active Directory issues cause Kerberos authentication to fall back to NTLM, a weaker protocol vulnerable to relay attacks, pass-the-hash, and brute force cracking. Finding and removing duplicate SPNs is a straightforward fix that most environments overlook entirely.

What is a Service Principal Name?

Service principal names (SPN) is used by Kerberos to link a service to a service account. This allows a user to access a service without knowing the service account used. For example, SQL uses SPNs. For more in-depth information on SPNs go to Service Principal Names - Win32 apps | Microsoft Docs.

What is NTLM?

NTLM is a challenge/response authentication protocol that has been surpassed by Kerberos but is still in production environments. For more information on NTLM, visit Microsoft NTLM - Win32 apps | Microsoft Docs. NTLM is vulnerable to the following (not limiting):

• NTLM relay attacks - A threat actor obtains hashed communication (person in the middle), and relay validated authentication requests to gain unauthorized access to domain systems.

• Pass the hash - A threat actor obtains the users hashed password and uses this to gain access to domain systems.

• Brute force - NTLM uses MD4 to create hashes. MD4 is severely compromised and can be cracked easily.

Finding Duplicate SPN Active Directory Accounts in Your Environment

Option #1: Finding Duplicate SPNs with Event Viewer

On domain controllers through the event viewer, search for event ID 11 in the system log. This will show you that duplicate SPNs are detected in the environment.

Option #2: Finding Duplicate SPNs with Command Line

Run the following command from a command prompt run as an administrator.

Option #3: Finding Duplicate SPNs with PowerShell

For larger environments or when you want exportable results, use the following PowerShell script. It queries all AD accounts for registered SPNs, identifies duplicates, and outputs a report you can pipe to CSV.

Vulnerability Mitigation

To mitigate this vulnerability, remove the duplicate SPN.

1. Determine which account has the incorrect SPN.

2. Open active directory users and computers.

3. Click on View | Advanced Features.

4. Open the account that has the SPN you want to remove.

5. Click on the "Attribute Editor" tab. If you don't see this tab, you are probably using search to find this account. Instead, navigate to the OU that holds this account and open the account properties there.

6. Find the attribute named "servicePrincipalName" and remove the offending entry.

Duplicate SPNs are easy to miss and easy to fix. Run either the setspn command or the PowerShell script above, identify which account has the incorrect SPN registered, and remove it through the Attribute Editor. Once resolved, Kerberos authentication will resume normally and the NTLM fallback risk is eliminated. If you're working through your AD security posture systematically, check out the rest of the series covering Kerberoasting, AS-REP Roasting, and DCSync.