<A Microsoft PFE's Note from the Field>
So in my day to day SharePoint support endeavors one of the classic cases that come in from time to time is customers trying to implement Kerberos into their Farms. One of the issues I see pop up a lot is duplicate SPN's.
The classic method (via the command line) is to run the following command to create an SPN:
Setspn –a http/<FQDN or Netbios Name> Domain\usercredential
For example Setspn –a http/connect.sharepoint.com sharepoint\content1
This would create an SPN to be used to create a valid Kerberos ticket for the http/connect.sharepoint.com site. Easy stuff here and you can verify this by going into ADSIEdit and open the properties for the Content1 Service Name.
But how do we get the issue with Duplicate SPN's. Usually this comes down to poor planning before you turn on your computer. Say as an example (and one I see often) you didn't think this through and plan your AuthN properly. Or say you just made a simple "FatFinger" or had a "Brain Cramp"… it happens. For illustration purposes lets go with the idea that you created the above mentioned SPN but for some reason you tried to run the Setspn command again using a different account. Voila! that's where we are in trouble. In my example I created two SPN entries pointing to the same site but I used two different service accounts. SPContent and SPContent1. As you can see in the screenshot below I get an Event ID 11 thrown which if you can read the text is basically telling me exactly what I need to know to go forward and fix the issue.
So is there a way to verify this before I go and run the command? Absolutly. If you enter the command Setspn –x you will get a list of any duplicates that exist in your environment.
Let's take this one step further and combine both the –A and the –X into a single FatFinger Proof method of creating our SPN's
Operation ABORTED!!! So if we look at the above output were shown the same information as the Setspn –x but we are also combining this with the ability to add an SPN. In both of these outputs you can clearly see that in my demonstration I tried to create an SPN for the same site http/connect.sharepoint.com but I used separate accounts. Also note that I can use the same account for multiple hosts if I so choose.. in this case im using Spcontent1 for both http/connect and http/my.
So in a perfect world when you are doing this work and you don't have any duplicates you can use either the setspn –x initially to see if any duplicates exist or do what I always do… use the setspn –s and cover everything in one sweep. In the above example if there were no duplicates the process would successfully finish and presto chango you have your SPNs created
Hope this helps someone out there J Cheers!