SETSPN.exe – Windows CMD Command

Read, modify, or delete the Service Principal Names (SPN) for an Active Directory service account.

searching for duplicates, especially forestwide, can take a long period of time and a large amount of memory.
-Q will execute on each target domain/forest.
-X will return duplicates that exist across all targets. SPNs are not required to be unique across forests, but duplicates can cause authentication issues when authenticating cross-forest.

Note: these modifiers can be used with the -S switch in order to specify where the check for duplicates should be performed before adding the SPN. Note: -T can be specified multiple times.

setspn must be run from an elevated command prompt.

If setspn does not appear to be available, enable the Active Directory Domain Services or the AD LDS server role.

SPNs are set up automatically when a computer joins a domain (and when some services are installed). Some services and applications (e.g. SharePoint) require manual modification of a service account’s SPN information to authenticate correctly.

If the computer name or Alias is changed, the SPNs for installed services must be changed to match.

Early versions of Setspn had the option Setspn -A, which skipped the check for duplicates, use Setspn -S in preference to this.

Administrators with only delegated authority (non domain administrators) will require the Validated write to service principle name permission to configure service principal names (SPNs).

Duplicate SPNs will cause Kerberos to fail and fall back to NTLM, run setspn -x periodically to check for this.

SPN Format

When you manipulate SPNs with setspn, the SPN must be entered in the correct format. The format of an SPN is serviceclass/host:port/servicename, in which each item represents a name or value.
Unless the service name and port are non standard, you do not have to enter them.

For example, the default SPNs for a server named Server64 that is providing remote desktop (RDP) services (TERMSRV) over the default port (TCP 3389) register the following two SPNs in its own Active Directory computer object:

Then reboot the Host.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *