SetSPN - CMD

Overview

SetSPN is a command-line tool used in Microsoft Windows environments to manage Service Principal Names (SPNs) for services running on accounts. SPNs are used in Kerberos authentication to uniquely identify a service instance. Managing SPNs correctly is critical for Kerberos to function properly, especially in scenarios involving delegation. SetSPN is most effectively used in large network environments where services need to authenticate across computers and where active directory configurations are common.

Syntax

The basic syntax for SetSPN is:

setspn [modifiers switch] [accountname]

Where [modifiers switch] can be a combination of various options to add, delete, or list SPNs for accounts and [accountname] is the target principal name or domain account.

Full Syntax

setspn [-R] [-P] [additional arguments]
setspn -A SPN accountname
setspn -S SPN accountname
setspn -D SPN accountname
setspn -L accountname
setspn -Q SPN
setspn -X

Options/Flags

  • -R: Resets the default SPNs for the specified computer.
  • -P: Prunes duplicate SPNs.
  • -A SPN accountname: Adds the specified SPN for the account.
  • -S SPN accountname: Adds the specified SPN for the account, but checks for duplicates in the forest.
  • -D SPN accountname: Deletes the specified SPN for the account.
  • -L accountname: Lists all SPNs registered to the account.
  • -Q SPN: Queries the Active Directory for an SPN.
  • -X: Lists all duplicate SPNs found in the forest.

Examples

  1. Adding a New SPN:

    setspn -S http/server.example.com DOMAIN\ServerAccount

    This command checks for the existence of the SPN in the Active Directory and adds it if not present, avoiding duplicates.

  2. Listing SPNs:

    setspn -L DOMAIN\ServerAccount

    Lists all SPNs registered to ServerAccount.

  3. Deleting an SPN:

    setspn -D http/server.example.com DOMAIN\ServerAccount

    Deletes the specified SPN from ServerAccount.

Common Issues

  • Duplicate SPNs: Duplicate SPNs can cause authentication errors. Use setspn -X to find and then setspn -D to delete duplicates.
  • Permission Errors: If you encounter permission issues, ensure that you have administrative rights or the necessary delegated permissions.

Integration

Combine SetSPN with PowerShell scripts or other CMD commands to automate SPN management. For example, to automatically adjust SPNs for a list of accounts stored in a file, you can use:

foreach ($account in Get-Content accounts.txt) {
    setspn -S http/myserver.example.com $account
}

This loop adds an SPN to each account specified in the accounts.txt file.

  • ktpass: Configures and manages keytab files for Kerberos authentication.
  • nltest: Can be used to troubleshoot and manage domain trust relationships.

For more detailed information, refer to the official SetSPN documentation on Microsoft’s website.