SPN Constraint Violation

This error is a result of SPN collision in two different cluster machine accounts.  A smartconnect name is registered with one cluster machine account,  an operation is attempting to insert the same SPN smartconnect name into another AD machine account in the AD forest.


SPN are globally unique in the AD forest and are used for authentication with kerberos and SMB shares.   On failover the SPN Needs to be removed from 1 cluster machine account and added to the DR cluster AD machine account.


The above error appears when Eyeglass can not  sync an SPN detect on a cluster and tries to register the SPN in AD, AD returns this error if the SPN is already registered to another machine account.

This can happen if you duplicated the smartconnect name on another cluster or the DR cluster and then later deleted it. It may have been registered and left behind.


Using ADSI edit to compare the SPN's on both cluster machine accounts and use isi network pools -v to get a list of smartconnect FQDN that should be inserted into AD machine accounts.


You should also review these documents



Was this article helpful?
0 out of 1 found this helpful
Have more questions? Submit a request


Powered by Zendesk