Overview[1]#
To Manage SPNs manually, the administrator can use the Setspn.exe tool that is provided with the Microsoft Windows Server Support Tools.Whenever you?re doubting Service Principal Name (SPN) registration, you can start using Setspn.exe. With each new version of Windows the Setspn.exe command line utility has been extended. The options below are based on the Windows 2008 R2 Setspn.exe.
Typical usage#
- setspn -x: allows you to do a quick check for duplicate SPN's in the domain. Which in turn might explain why you are falling back to NTLM
- setspn -l: allows you to list the registered SPN's for a given machine or user account
- setspn -q: allows you to query for a given SPN
- setspn -d: allows you to remove a given SPN from a given account
- setspn -a: allows you to register a SPN for a given account: try to avoid this one, use setspn -s (and -f) instead.
- setspn -s: allows you to register a SPN for a given account after verifying no duplicates exist in the domain
- setspn -f -s: allows you to register a SPN for a given account after verifying no duplicates exist in the forest! Duplicate SPNs
Windows Support Tools for Windows Server contains a utility named Ldifde.exe that you can use to list all accounts that map to a specific SPN. To perform a query with Ldifde.exe From the Windows Support Tools menu, open the command prompt. Type the following command:
ldifde -f c:\spn_out.txt -d "DC=globalbank,DC=net" -l serviceprincipalname -r "(serviceprincipalname=HTTP/LONDON*)" -p subtreeThis command searches for all of the SPNs in the globalbank.net domain that match the search mask HTTP/LONDON*. It writes the results to a text file named spn_out.txt on drive C.
More Information#
There might be more information for this subject on one of the following:- [#1] - Kerberos Basic Troubleshooting: Tip 3
- based on 2013-11-10
- [#2] - Setspn.exe - from information retrieved 2013-11-10