SPN Registration


Typically SPN entries are generated by the service automatically. Occasionally you may need to manually SPN Registration.

To register the SPN manually, the administrator must use the Setspn.exe tool that is provided with the Microsoft Windows Server Support Tools.

Setspn.exe is a command line tool that enables you to read, modify, and delete the Service Principal Names (SPN) directory property. This tool also enables you to view the current SPNs, reset the account's default SPNs, and add or delete supplemental SPNs.

Be Careful Constructing SPN#

Whenever registering SPN’s you have to carefully construct it:
  • what service is it for
  • which name will be used to access it
  • what port is it running at.

For most services this is straightforward, but Internet Explorer as a web browsing client complicates this. IE6, IE7 and IE8 still ignore the port entered in the address bar. They even ignore the name if it is a CNAME record.

Make sure to use ping or nslookup whenever troubleshooting your SPN’s. It will show you how and if the name you registered the service under is reachable.

Using Setspn.exe#

The following example illustrates the syntax used to register manually register an SPN for a TCP/IP connection:
setspn -A MSSQLSvc/myhost.redmond.microsoft.com:1433 accountname

Note If an SPN already exists, it must be deleted before it can be reregistered. You do this by using the Setspn.exe command together with the -D switch. The following examples illustrate how to manually register a new instance-based SPN. For a default instance, use:

setspn -A MSSQLSvc/myhost.redmond.microsoft.com accountname

For a named instance, use:

setspn -A MSSQLSvc/myhost.redmond.microsoft.com:instancename accountname

More Information#

There might be more information for this subject on one of the following: