loader

Service Principal Names (SPNs)

A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. (Ref. MS Technet)

https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

C:\Windows\system32>setspn -s http/shareddc10.internal.itbmv internal\cewsserviceusr1
Checking domain DC=INTERNAL,DC=ITBMV
Registering ServicePrincipalNames for CN=Service CES. Certificate Enrolment Web,CN=Managed Service Accounts,DC=INTERNAL,DC=ITBMV
http/shareddc10.internal.itbmv
Updated object
C:\Windows\system32>
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>setspn
Missing parameter: accountname.
Usage: setspn [modifiers switch] [accountname]
Where "accountname" can be the name or domain\name
of the target computer or user account
Edit Mode Switches:
-R = reset HOST ServicePrincipalName
Usage: setspn -R accountname
-S = add arbitrary SPN after verifying no duplicates exist
Usage: setspn -S SPN accountname
-D = delete arbitrary SPN
Usage: setspn -D SPN accountname
-L = list SPNs registered to target account
Usage: setspn [-L] accountname
Edit Mode Modifiers:
-C = specify that accountname is a computer account
-U = specify that accountname is a user account
Note: -C and -U are exclusive. If neither is specified, the tool will interpret accountname as a computer name if such a computer exists, and a user name if it does not.
Query Mode Switches:
-Q = query for existence of SPN
Usage: setspn -Q SPN
-X = search for duplicate SPNs
Usage: setspn -X
Note: searching for duplicates, especially forestwide, can take a long period of time and a large amount of memory. -Q will execute on each target domain/forest. -X will return duplicates that exist across all targets. SPNs are not required to be unique across forests, but duplicates can cause authentication issues when authenticating cross-forest.
Query Mode Modifiers:
-P = suppresses progress to the console and can be used when redirecting
output to a file or when used in an unattended script. There will be no
output until the command is complete.
-F = perform queries at the forest, rather than domain level
-T = perform query on the speicified domain or forest (when -F is also used)
Usage: setspn -T domain (switches and other parameters)
"" or * can be used to indicate the current domain or forest.
Note: these modifiers can be used with the -S switch in order to specify where the check for duplicates should be performed before adding the SPN. Note: -T can be specified multiple times.
Examples:
setspn -R daserver1
It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"
setspn -S http/daserver daserver1
It will register SPN "http/daserver" for computer "daserver1"
if no such SPN exists in the domain
setspn -D http/daserver daserver1
It will delete SPN "http/daserver" for computer "daserver1"
setspn -F -S http/daserver daserver1
It will register SPN "http/daserver" for computer "daserver1"
if no such SPN exists in the forest
setspn -U -S http/daserver dauser
It will register SPN "http/daserver" for user account "dauser"
if no such SPN exists in the domain
setspn -T * -T bar -X
It will report all duplicate registration of SPNs in this domain and bar
setspn -T bar -F -Q */daserver
It will find all SPNs of the form */daserver registered in the forest to
which bar belongs
C:\Windows\system32>

20 Comments

  1. 링크사이트

  2. Agen Slot Online

    Every weekend i used to go to see this web site, because
    i want enjoyment, for the reason that this this site conations really fastidious funny material too.

  3. mơ thấy bàn thờ tổ tiên

  4. Rwanda

    Hello I am so happy I found your blog page, I really found you
    by mistake, while I was searching on Aol for something else, Nonetheless I am here now and would just like to say kudos for a tremendous post and
    a all round entertaining blog (I also love the theme/design), I don’t have time
    to go through it all at the minute but I have book-marked it and also included your RSS
    feeds, so when I have time I will be back to read much more,
    Please do keep up the superb work.

  5. Digital transformation

  6. mo thay an mit

  7. mo thay ran can

  8. Sex chemical

  9. Hand raised parrots for sale

  10. bitcoineraonline.com

  11. evolution brokers review

  12. 스포츠토토

  13. best divatress wigs

  14. Buy Actavis Promethazine online .

  15. click here

  16. hydraulic press

  17. English bulldog puppies for sale near me in CA ON MA CO OH PA SC MS TN FL UT NH VA AL TX

  18. mo thay nguoi chet danh de con gi

Leave a Reply

Your email address will not be published. Required fields are marked *

two × three =