π ~1 min read
Table of contents
Symptom & Impact
Kerberos pre-auth failures surge and application authentication becomes intermittent after SPN ownership drift. Services may fall back to NTLM or fail entirely if delegation paths break. Login latency and ticket request errors increase across domains.
Quick Checks
Identify failing principals and duplicate SPNs associated with recently changed service accounts.
Get-WinEvent -LogName Security -FilterHashtable @{Id=4771} -MaxEvents 200
setspn -X
klist purgeDeep Diagnosis
Correlate 4768/4771 events with account lockouts and service startup identities to isolate ownership conflicts.
Get-WinEvent -LogName Security -FilterHashtable @{Id=4768} -MaxEvents 200
Search-ADAccount -LockedOut
Get-ADUser svc-web -Properties ServicePrincipalName,msDS-SupportedEncryptionTypesPrimary Fix
Remove duplicate SPNs, register correct mappings on canonical service account, and reset affected credentials.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
setspn -D HTTP/app.contoso.local CONTOSOoldsvc
setspn -S HTTP/app.contoso.local CONTOSOsvc-web
Reset-ADServiceAccountPassword -Identity svc-webVerification
Ticket requests should succeed without repeated pre-auth failures and dependent services should authenticate normally.
setspn -Q HTTP/app.contoso.local
Get-WinEvent -LogName Security -FilterHashtable @{Id=4771} -MaxEvents 30
klist get HTTP/app.contoso.localPrevention & Hardening
Govern SPN changes through identity workflows and continuously scan for duplicates in AD.
setspn -X
Get-ADServiceAccount -Filter * -Properties ServicePrincipalName
Get-ADUser -Filter {ServicePrincipalName -like '*'} -Properties ServicePrincipalName
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β we respond within one business day.
