Thursday, 13 August 2015

SPN value provided for addition/modification is not unique forest-wide

When adding a new service principal name, you may end up with an error where the SPN is already registered on another user or computer object in in the forest. The exact error is:

Operation failed. Error code: 0x21c7
The operation failed because SPN value provided for addition/modification is not unique forest-wide.
00021C7: AtrErr: DSID-03200BA6, #1:
0: 000021C7: DSID-03200BA6, problem 1005
(CONTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)




If you want to find out where the SPN is registered, you can use the Get-ADUser and Get-ADComputer commands which require the Active Directory PowerShell module (installed on any 2008 Domain Controller and higher). 

To search user objects:
Get-ADUser -Filter {serviceprincipalname -like "http/MYSharePointSite"}

To search computer objects:
Get-ADComputer -Filter {serviceprincipalname -like "http/MYSharePointSite"}

You can also use wildcards in your search. E.g.
Get-ADComputer -Filter {serviceprincipalname -like "http/*SharePoint*"}

Before Server 2012 R2, there was no check when adding duplicate SPNs so we are seeing issue more. If you find that you cannot get around this and you really need two accounts with the same name, you can install a hotfix from Microsoft that disables this new feature. See https://support.microsoft.com/en-us/kb/3070083


1 comment:

  1. Thank you! This helped me find and fix a very irritating problem.

    ReplyDelete