Duplicate Service Principal Names (SPN) and how to identify for troubleshooting?

With SDL Trados GroupShare 2017 it is required to set a SPN for the service account running the GroupShare Services. (See also: Windows Authentication, GroupShare and the requirement of setting a Service Principal Name)

 

This is required in order for the client PC to identify/establish a communication and authenticate via Kerberos authentication to the server that host the SDL Trados GroupShare instance if the Windows Authentication method in the SDL client applications ( SDL Trados Studio / SDL MultiTerm ) is used to connect to the GroupShare server.

 

For this to work the registered Service Principal Name (SPN) must be unique. If there are duplicated SPNs it can cause the authentication and subsequent communication to fail that leads SDL Trados Studio and/or SDL MultiTerm not being able to use the Windows Authentication feature to connect to the GroupShare server/instance. You'll see often one (or more) of the following messages:

 

An error occurred while sending the request.

The remote server returned an error: (401) Unauthorized.

Response status code does not indicate success: 400 (Bad Request).

The target principal name is incorrect.

Can not connect to GroupShare! - An unknown error occurred!

 

Please Note: The messages not necessarily are results of a duplicate set SPN but might be related to other SPN issues. 

How to check for duplicate SPN

During browsing through the web I quickly realized that there is not so much available from a tool/script perspective that can be run and returns "simple" list with Service Principal Names active and also ones that are duplicates.

 

However, I am kinda lazy when it comes to gathering information "manually" and was therefore looking for a simple way like a tool that is running this check. I found a very nice script on the MSXFAQ website that is doing this and even provides a nice HTML site with a table showing existing SPNs and possible duplicates.

 

Example:

 

Image source: https://www.msxfaq.de/windows/kerberos/dumpspn.htm

 

 

However, for users that are not so familiar with running vb scripts it might be a bit cumbersome.

So, here I am...lazy... wanting to run the script and perform that check and with a simple "double-click" it should be showing everything.

 

So I fiddled a bit around and created a small executable that runs the script found at MSXFAQ (click here to open the vbs) for checking existing and duplicate SPNs and also opens the HTML website automatically.

 

Click the emoji to download the Check Duplicate SPN.zip that includes the Check Duplicate SPN.exe.

 

(Alternative link: https://goo.gl/5gFeOY )