The Service Principal Name of the Federation Service account is not registered or is not unique. As a result, Windows Integrated Authentication from domain-joined clients may not be seamless.
Recommended action
Use [SETSPN -L ServiceAccountName] to list the Service Principals.
Use [SETSPN -X] to check for duplicate Service Principal Names.
If SPN is duplicated for the AD FS service account, remove the SPN from the duplicated account using [SETSPN -d service/namehostname]
If SPN is not set, use [SETSPN -s Desired-SPN domain_name\service_account] to set the desired SPN for the Federation Service Account.
To check health of your services monitored by Azure Active Directory Connect Health, visit the Azure AD Connect Health Portal.
If you no longer wish to receive these notifications, read the instructions for updating your settings. Only global administrators can change settings.
Invalid Service Principal Name (SPN) for the AD FS service account.
-
thaterrormessage
- Site Admin
- Posts: 7244
- Joined: Tue Jul 14, 2020 3:21 pm
Invalid Service Principal Name (SPN) for the AD FS service account.
*IS THIS ERROR HAPPENING NOW? Reply in real-time below.* Hold software providers accountable - we rely on the community to acknowledge the same errors and their workarounds/fixes. Register to search and full board access.