Service Principal Names are basically pointers back to security principals for kerberos. If you can not uniquely indentify a security principal from a service principal name you would get some sort of auth failure. The results of which could be anything depending on how the service trying to authenticate captures and handles that failure. It may possibly do some sort of failover to something else or completely give up or ?
Here is a little ditty on SPNs and Mutual Authentication that is interesting to read. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/mutua l_authentication_using_kerberos.asp Also O'Reilly has a decent little kerberos book that is worth reading. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Wednesday, June 23, 2004 10:40 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on duplicate SPN's I had some DC's reporting Event ID 11 that the KDC was finding duplicate SPN's for some computer objects. I followed the process to clean them up, but I was curious just what sort of problems result from having a duplicate SPN. The articles I've found all discuss how to fix them but not what the consequences of them are. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
