Ensure No Duplicate SPNs in Active Directory
Make sure there are no duplicate identifiers for network services in the organisation's Active Directory system.
Plain language
This control is about making sure there aren't any repeat identifiers for network services in our organisation's Active Directory system. If there are duplicates, it can confuse the system and potentially allow unauthorised access to sensitive information, leading to security breaches or disruptions in services.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Duplicate SPNs do not exist within the domain.
Why it matters
Duplicate SPNs can break Kerberos integrity, letting attackers request tickets for the wrong account and impersonate services to gain access.
Operational notes
Run setspn -X regularly to find duplicate SPNs, then remove or correct them so each SPN maps to only one AD account.
Implementation tips
- The IT team should conduct a thorough inventory of all service principal names (SPNs) in the Active Directory. Use a script or tool to extract and list all SPNs to ensure there are no duplicates. This helps in identifying and resolving any duplication quickly.
- IT administrators should regularly monitor and manage SPNs. Set up a routine check every quarter where you compare current SPNs with previous records to spot any undesired changes or duplicates.
- Ensure training for IT staff: Arrange a training session where experienced IT personnel teach others about managing SPNs effectively. This includes explaining what SPNs are, why they're important, and how to manage them without causing duplicates.
- Management should enforce policy compliance: Create policies that mandate regular checks of SPN assignments and audits. Clearly document these policies and communicate the compliance requirements to all relevant staff.
- Utilise tools to automate SPN management: The IT team should integrate tools that automatically manage SPN assignments, flag duplicates, and suggest corrections. Choose from reputable tools already reviewed for this specific purpose.
Audit / evidence tips
-
Askthe SPN review and inventory documentation: Request records from the latest SPN inventory review conducted by the IT team
Goodwill show no duplicates and provide a record of changes since the last review
-
Askproof of training programs: Request materials from any training sessions conducted for IT staff regarding SPN management. Review attendance lists and training content
Goodincludes dated records of training sessions with clear objectives and outcomes
-
Askthe internal policy documentation on SPN management within Active Directory
Goodshould include details about frequency and scope of compliance checks
-
Aska demonstration of the SPN monitoring tool: Request a demonstration of the tool used for automating SPN management. Observe the tool's interface and its ability to detect duplicates
Goodwill show the tool identifying duplicates and offering recommended actions
-
Aska copy of the most recent compliance report regarding SPN checks
Goodwill have no incidents of SPN duplication and clearly indicate all checks were completed on time
Cross-framework mappings
How ISM-1834 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.16 | ISM-1834 requires organisations to ensure duplicate Service Principal Names (SPNs) do not exist within an Active Directory domain to pres... | |
| Annex A 8.9 | ISM-1834 requires organisations to maintain a correct Active Directory configuration state by preventing or remediating duplicate SPNs, w... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.2 | ISM-1834 requires organisations to ensure duplicate SPNs do not exist in the domain, reducing the likelihood of ambiguous Kerberos servic... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.