Recently I got a comment how to locate duplicate SPNs when using Windows Server 2008.
Luckily, this is very easy, because the SETSPN command from Windows Server 2008 has this functionality builtin:
Remove the duplicate service prinicipal name
Each service principal name (SPN) must be unique. Without unique principal names, the Kerberos client is not able to ensure that the server it is communicating with is the correct one. You must identify the duplicate SPN, and then remove it.
To perform these procedures, you must be a member of the Domain Admins group, or you must have been delegated the appropriate authority.
To identify the duplicate SPN:
1. Log on to the computer referenced in the event log message. If this computer is not running Windows Server 2008, you must download and install the Windows Server 2003 Resource Kit, which includes setspn.exe.
2. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
4. Type setspn -X.
5. The output of this command will show the duplicate SPNs.
6. Use the following procedure to remove one of the duplicate SPNs.
Remove an SPN
To remove an SPN:
1. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
3. Type setspn -D<SPN> <computer_name>, where SPN is the name of the duplicate SPN and computer_name is the name of the computer that is assigned the duplicate SPN.