it:ad:setspn:todo:home

IT:AD:SetSPN:HowTo

Syntax

//List SPNs registered per machine:

//List SPNs registered per account:
setspn -L {domain\account}
setspn -L {domain\machine}

//Add an spn (although prefer -S)
setspn -A {SPN} {domain\account}
setspn -A {SPN} {domain\machine}

//Add an spn (after checking it won't be a duplicat)
setspn -S {SPN} {domain\account}
setspn -S {SPN} {domain\machine}

//Delete an spn:
setspn -D {SPN} {domain\account}
setspn -D {SPN} {domain\machine}

List SPNs associated to an identity

SETSPN -L (domain)\(service account name)

Set an SPN

Setspn –S HTTP/NETBIOS_NAME_OF_IIS_SERVER domain\username

Constraints of registering SPN's

  • Multiple service instances throughout a forest, each gets its own SPN.
  • A single service instance can have multiple SPNs if there are multiple names that clients might use for authentication.
  • An SPN:
    • always includes the name of the computer on which the service instance is running.

A given SPN can be registered on only one account.

  • /home/skysigal/public_html/data/pages/it/ad/setspn/todo/home.txt
  • Last modified: 2023/11/04 01:56
  • by 127.0.0.1