This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Setspn.exe
Setspn.exe

Version management

Difference between version and

At line 1 added 30 lines
!!! Overview[1]
To Manage [SPNs] manually, the administrator can use the [{$pagename}] tool that is provided with the Microsoft Windows Server Support Tools.
Whenever you?re doubting Service Principal Name (SPN) registration, you can start using [{$pagename}]. With each new version of Windows the [{$pagename}] command line utility has been extended. The options below are based on the Windows 2008 R2 [{$pagename}].
! Typical usage
* setspn -x: allows you to do a quick check for duplicate SPN's in the domain. Which in turn might explain why you are falling back to NTLM
* setspn -l: allows you to list the registered SPN's for a given machine or user account
* setspn -q: allows you to query for a given SPN
* setspn -d: allows you to remove a given SPN from a given account
* setspn -a: allows you to register a SPN for a given account: try to avoid this one, use setspn -s (and -f) instead.
* setspn -s: allows you to register a SPN for a given account after verifying no duplicates exist in the domain
* setspn -f -s: allows you to register a SPN for a given account after verifying no duplicates exist in the forest! Duplicate SPNs
When creating and using new SPNs with Web services, you may need to perform some troubleshooting. For instance, if you accidentally map the same SPN to two different accounts, the SPN will no longer work. It may also be necessary to list all of the SPNs that are associated with an account to determine if a specific SPN has been created.
Windows Support Tools for Windows Server contains a utility named Ldifde.exe that you can use to list all accounts that map to a specific SPN.
To perform a query with Ldifde.exe
From the Windows Support Tools menu, open the command prompt.
Type the following command:
{{{
ldifde -f c:\spn_out.txt -d "DC=globalbank,DC=net" -l serviceprincipalname -r "(serviceprincipalname=HTTP/LONDON*)" -p subtree
}}}
This command searches for all of the SPNs in the globalbank.net domain that match the search mask HTTP/LONDON*. It writes the results to a text file named spn_out.txt on drive C.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Kerberos Basic Troubleshooting: Tip 3|http://setspn.blogspot.com/2010/06/kerberos-basic-troubleshooting-tip-3.html|target='_blank'] - based on 2013-11-10
* [#2] - [Setspn.exe|http://technet.microsoft.com/en-us/library/cc731241.aspx |target='_blank'] - from information retrieved 2013-11-10
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop