Unable to Remove SPN

Issue Description

Unable to add/remove SPN from a Service Account using SPN command or using adsiedit.msc and getting below error.

Reason

This is happening because there is a duplicate SPN on the service account and since serviceprincipalname attribute is a multi-valued property, when you add/remove all values are validated before it is saved.

This is the reason if any value under serviceprincipalname attribute on that service account is duplicate, It won’t allow you to remove/add any other value on the same account until you fix the duplicate.

You can run below command on any domain joined machine to find duplicate SPNs in active directory, based on this 2 UPNs are on 2 object, one is on a computer account and other is a service account.

PS C:\Users\sourabh\Desktop> SetSPN -x
Checking domain DC=learntechfuture,DC=com
Processing entry 70
MSSQLSvc/SQLDB01.learntechfuture.com:SIS is registered on these accounts:
        CN=SQLDB01,OU=DBServers,OU=Servers,DC=learntechfuture,DC=com
        CN=SvcDBA,OU=Service Accounts,DC=learntechfuture,DC=com

MSSQLSvc/SQLDB01.learntechfuture.com:50001 is registered on these accounts:
        CN=SQLDB01,OU=DBServers,OU=Servers,DC=learntechfuture,DC=com
        CN=SvcDBA,OU=Service Accounts,DC=learntechfuture,DC=com

found 2 groups of duplicate SPNs.

PS C:\Users\sourabh\Desktop>

Fix

Once you remove the duplication SPNs as found on SetSPN -x command, It will allow to make updates to SPN on affected account.

Thank you for reading !