Dangling Service Principal Names Test

A dangling Service Principal Name (SPN) refers to an SPN entry that points to an account that no longer exists or has been deleted from Active Directory. If not properly cleaned up during deprovisioning, these SPNs can remain in the directory. This can lead to Kerberos authentication failures, service resolution issues, and security vulnerabilities such as SPN spoofing. Such vulnerabilities may result in unauthorized access through service impersonation. Therefore, identifying any increase in the number of dangling SPNs in a timely manner helps prevent these issues. This test helps detect such entries proactively. It reports the number of dangling SPNs, enabling administrators to clean them up promptly. This ensures smoother authentication processes and reduces the risk of security breaches.

Target of the test : An Active Directory server

Agent deploying the test : An internal agent

Outputs of the test : One set of results for every Active Directory site that is being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.

Host

The IP address of the machine where the Active Directory is installed.

Port

The port number through which the Active Directory communicates. The default port number is 389.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 1:1. This indicates that, by default, detailed measures will be generated every time this test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Dangling service principal names found

Indicates the total number of Service Principal Names in Active Directory that are currently associated with deleted or non-existent accounts.

Number

If the value of this measure is high, it indicates the presence of numerous invalid SPN references in Active Directory. This points to the need to remove these dangling entries to maintain the security, integrity, and proper functioning of the directory.

Use the detailed diagnosis of this measure to find out the details of dangling SPNs.