Kerberos: Authentication fails, 'Defective token detected'

Answer: Generally this indicates that something was done incorrectly when running the ktpass command, or it has been run multiple times with one AD account, leading to duplicate SPNs. If duplicate SPNs are present there is no way for TOPdesk to know which should be used. If the ktpass command is run again then the original AD user should always be deleted, or any existing SPNs removed by using a command. It is possible that the details in the keytab no longer match - for instance, either the name of the TOPdesk server, or of the domain controller have changed. We recommend starting fresh as machines and services regularly cache Kerberos tickets and users: 1. Delete the keytab. 2. On the domain controller run the command 'setspn -x' to check whether there are any duplicate SPNs relating to TOPdesk. 3. Either delete the AD user initially used; or remove any SPNs on this user. To remove an SPN, use the 'setspn -d service/namehostname' command at a command prompt, where service/name is the SPN that is to be removed and hostname is the actual host name of the computer object that you want to update. For example, if the SPN for the Web service on a computer named Server3.contoso.com is incorrect, you can remove it by typing 'setspn -d http/server3.contoso.com server3', and then pressing ENTER. 4. Create a new user and Run the ktpass command again, after starting the command prompt with administrator permissions to ensure that this is not limiting the creation of the keytab. More info 'Defective token detected' indicates that something wrong with the generated keytab file, which does not fully match with the available information about the TOPdesk server and the domain controller. This causes the negotiation to fail between the TOPdesk server and the domain controller.