Invalid Service Principal Name (SPN) for the AD FS service account.
Posted: Thu Jul 30, 2020 12:42 pm
The Service Principal Name of the Federation Service account is not registered or is not unique. As a result, Windows Integrated Authentication from domain-joined clients may not be seamless.
Recommended action
Use [SETSPN -L ServiceAccountName] to list the Service Principals.
Use [SETSPN -X] to check for duplicate Service Principal Names.
If SPN is duplicated for the AD FS service account, remove the SPN from the duplicated account using [SETSPN -d service/namehostname]
If SPN is not set, use [SETSPN -s Desired-SPN domain_name\service_account] to set the desired SPN for the Federation Service Account.
To check health of your services monitored by Azure Active Directory Connect Health, visit the Azure AD Connect Health Portal.
If you no longer wish to receive these notifications, read the instructions for updating your settings. Only global administrators can change settings.