How to delete SPN

[Peter K]

Hi,

I have a number of SPNs for MSSQLSvc/servername.mydomain.com where the
servernames are long dead and removed (with adsiedit) DCs. How do I
delete them as I think they are causing KDC 11 errors?

Can't do it with SPN -d because the servers don't exist anymore, and
if they are listed in ldifde I can't see them - don't think they show
up there.

Thanks a lot,

Peter

 

[Joe Richards [MVP]]

They have to exist somewhere. Do a search like

adfind -gc -b "" -f "servicePrincipalName=MSSQLSvc/servername.mydomain.com" -dn

That will tell you what objects have the spn set, then you can either delete the
objects or delete the one value from the spn attribte.

 

[Peter K]

Joe,

That is how I found them, with adfind, but, but don't know how to
delete them.

Can't seem to use SPN -d on a server that no longer exists. I can't
see anything like them in adsiedit (sorry - said ldifde in my first
post) .

Thanks,

Peter

 

[Joe Richards [MVP]]

You can do it a couple of ways.

Since you could find them with adfind, you now know the objects. You can either
pull that specific object up in adsiedit and go to the serviceprincipalname
attribute and remove the one value there or you could use admod to remove the value.

admod -b DN_OF_OBJECT "servicePrincipalName:-:MSSQLSvc/servername.mydomain.com"

This part

"servicePrincipalName:-:MSSQLSvc/servername.mydomain.com"

tells admod to look at the SPN attribute and remove the one value that is equal
to MSSQLSvc/servername.mydomain.com

If you do

"servicePrincipalName:-"

it would clear the entire SPN attribute and you don't want that.