SETSPN.exe – Windows CMD Command
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118
Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119
Read, modify, or delete the Service Principal Names (SPN) for an Active Directory service account.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
Syntax SETSPN [modifiers switch] [accountname] Key accountname The name or domain\name of the target computer or user account Edit Mode Switches: -R = reset HOST ServicePrincipalName Usage: setspn -R accountname -S = add arbitrary SPN after verifying no duplicates exist Usage: setspn -S SPN accountname -D = delete arbitrary SPN Usage: setspn -D SPN accountname -L = list SPNs registered to target account Usage: setspn [-L] accountname Edit Mode Modifiers: -C = accountname is a computer account -U = accountname is a user account Note: -C and -U are exclusive. If neither is specified, setspn will interpret accountname as a computer name if such a computer exists, and a user name if it does not. Query Mode Switches: -Q = query for existence of SPN Usage: setspn -Q SPN -X = search for duplicate SPNs Usage: setspn -X |
searching for duplicates, especially forestwide, can take a long period of time and a large amount of memory.
-Q will execute on each target domain/forest.
-X will return duplicates that exist across all targets. SPNs are not required to be unique across forests, but duplicates can cause authentication issues when authenticating cross-forest.
1 2 3 4 5 6 7 8 9 |
Query Mode Modifiers: -P = suppress progress to the console, use when redirecting output to a file or in an unattended script. There will be no output until the command is complete. -F = perform queries at the forest, rather than domain level -T = perform query on the specified domain or forest (when -F is also used) Usage: setspn -T domain (switches and other parameters) "" or * can be used to indicate the current domain or forest. |
Note: these modifiers can be used with the -S switch in order to specify where the check for duplicates should be performed before adding the SPN. Note: -T can be specified multiple times.
setspn must be run from an elevated command prompt.
If setspn does not appear to be available, enable the Active Directory Domain Services or the AD LDS server role.
SPNs are set up automatically when a computer joins a domain (and when some services are installed). Some services and applications (e.g. SharePoint) require manual modification of a service account’s SPN information to authenticate correctly.
If the computer name or Alias is changed, the SPNs for installed services must be changed to match.
Early versions of Setspn had the option Setspn -A, which skipped the check for duplicates, use Setspn -S in preference to this.
Administrators with only delegated authority (non domain administrators) will require the Validated write to service principle name permission to configure service principal names (SPNs).
Duplicate SPNs will cause Kerberos to fail and fall back to NTLM, run setspn -x periodically to check for this.
SPN Format
When you manipulate SPNs with setspn, the SPN must be entered in the correct format. The format of an SPN is serviceclass/host:port/servicename, in which each item represents a name or value.
Unless the service name and port are non standard, you do not have to enter them.
For example, the default SPNs for a server named Server64 that is providing remote desktop (RDP) services (TERMSRV) over the default port (TCP 3389) register the following two SPNs in its own Active Directory computer object:
TERMSRV/Server64
TERMSRV/Server64
1 2 3 4 |
Set the DisableStrictNameChecking key in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters DisableStrictNameChecking Data type: REG_DWORD Set Value: 1 |
1 2 3 |
On the server create SPN's for the flat name and the fully qualified name of the cname alias: setspn -S host/your_ALIAS_name ServerName setspn -S host/your_ALIAS_name.domain.com ServerName |
Then reboot the Host.
Excellent blog here! Also your website loads up fast! What host are you using? Can I get your affiliate link to your host? I wish my web site loaded up as quickly as yours lol