Read, modify, or delete the Service Principal Names (SPN) for an Active Directory service account.
Syntax SETSPN [modifiers switch] [accountname]Keyaccountname The name or domain\name of the target computer or user account Edit Mode Switches: -R = reset HOST ServicePrincipalName Usage: setspn -Raccountname -S = add arbitrary SPN after verifying no duplicates exist Usage: setspn -SSPNaccountname -D = delete arbitrary SPN Usage: setspn -DSPN accountname -L = list SPNs registered to target account Usage: setspn [-L]accountname Edit Mode Modifiers: -C =accountname is a computer account -U =accountname is a user account Note: -C and -U are exclusive. If neither is specified, setspn will interpretaccountname as a computer name if such a computer exists, and a user name if it does not. Query Mode Switches: -Q = query for existence of SPN Usage: setspn -QSPN -X = search for duplicate SPNs Usage: setspn -X
Searching for duplicates, especially forestwide, can takea long period of time and a large amount of memory.
-Q will executeon each target domain/forest.
-X will return duplicates that existacross all targets. SPNs are not required to be unique across forests,but duplicates can cause authentication issues when authenticatingcross-forest.
Query Mode Modifiers: -P = suppress progress to the console, use when redirecting output to a file or in an unattended script. There will be no output until the command is complete. -F = perform queries at the forest, rather than domain level -T = perform query on the specified domain or forest (when -F is also used) Usage: setspn -T domain (switches and other parameters) "" or * can be used to indicate the current domain or forest.
Note: these modifiers can be used with the -S switch in order to specify where the check for duplicates should be performed before adding the SPN. Note: -T can be specified multiple times.
setspn must be run from an elevated command prompt.
Ifsetspn does not appear to be available, enable theActive Directory Domain Servicesor theAD LDS server role.
SPNs are set up automatically when a computer joins a domain (and when some services are installed). Some services and applications (e.g. SharePoint) require manual modification of a service account’s SPN information to authenticate correctly.
If the computer name or Alias is changed, the SPNs for installed services must be changed to match.
Early versions of Setspn had the optionSetspn -A, which skipped the check for duplicates, useSetspn -S in preference to this.
Administrators with only delegated authority (non domain administrators) will require theValidated write to service principle name permission to configure service principal names (SPNs).
Duplicate SPNs will cause Kerberos to fail and fall back to NTLM, runsetspn -x periodically to check for this.
All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and aredeprecated.
When you manipulate SPNs with setspn, the SPN must be entered in the correct format. The format of an SPN isserviceclass/host:port/servicename, in which each item represents aname orvalue.
Unless the service name and port are non standard, you do not have to enter them.For example, the default SPNs for a server namedServer64 that is providing remote desktop (RDP) services (TERMSRV) over the default port (TCP 3389) register the following two SPNs in its own Active Directory computer object:
TERMSRV/Server64
TERMSRV/Server64.ss64.com
View a list of the SPNs that the computerserver64 has registered with Active Directory from a command prompt:
setspn –l server64
View a list of the SPNs that the local computer has registered with Active Directory from a command prompt:
setspn –lhostname
Reset the SPNs for the computerserver64 back to the default:
setspn -r server64
Add an SPN for LDAP to an AD domain controller with the host namedc1.ss64.com:
setspn -s ldap/dc1.ss64.com dc1
Delete the SPN for LDAP from an AD domain controller with the host namedc1.ss64.com:
setspn -d ldap/dc1.ss64.com dc1
Create an alias name for a server:
Create a CNAME record (not a normal Host(A) record.) in DNS:
Set theDisableStrictNameChecking key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
DisableStrictNameChecking Data type: REG_DWORD
Set Value:1On the server create SPN’s for the flat name and the fully qualified name of the cname alias:
setspn -S host/your_ALIAS_name ServerName
setspn -S host/your_ALIAS_name.domain.com ServerNameThenreboot the Host.
“I have the world’s worst taste in men, so now I simply have wonderful relationships of the friend kind, but trying to settle down with somebody? No, no, no, no, no, no, no. I’m beyond that” ~ Harvey Fierstein
RepAdmin - Diagnose Active Directory replication problems between domain controllers.
DcDiag - Analyze the state of domain controllers and report any problems.
DsMgmt - Manage password operations over unsecured connections, AD Lightweight Directory Services application partitions, flexible single master operations (FSMO), and clean up AD metadata.
TechNet -Troubleshooting SPN Issues