Service Principal Names (SPN) are user accounts in Active Directory that are usually created automatically by programs you are installing to allow them to have additional rights beyond what most programs do.
You can see the Service Principal Names accounts in Active Directory Users and Computers but you can not see that they are Service Principals there (unless you go into ATTRIBUTE EDITOR and search for servicePrincipalName).
To make view or make changes to SPNs, you must be logged onto a Domain Controller as either a Domain Admin or an Enterprise admin and you must use an elevated Command Prompt (ie. AS ADMIN). The SETSPN command is the tool to modify Service Principal Names.
An SPN has three parts but only two are commonly used:
- the service
- the server the service is on
- the port number (only used if it is not the default port… so very rarely used)
In the example below we ran four setspn commands you will likely find useful:
- setspn -L srv-mapping01
This command LISTS the Service Principal Names stored in Active Directory that relate to SRV-MAPPING01 - setspn -S http/srv-mapping01 RobertsonTech\svc-gis-fme Checking domain DC=RobertsonTech,DC=com
This command SETS (i.e. adds) the HTTP service on the server with host name SRV-MAPPING01 to the ActiveDirectory account ROBERTSONTECH\SVC-GIS-FME
Note that we did not specify a port number here, so http will operate on the default port 80 - setspn -S http/srv-mapping01.RobertsonTech.com Robertso nTech\svc-gis-fme
This is the same command as notes above, except it includes the fully qualified domain name of the server which is srv-mapping01.RobertsonTech.com.
It is common to add both the host name and the fully qualified host name, as we have done in steps 2 and 3 here. - setspn -L srv-mapping01
Listing the SPN entries for server srv-mapping01 again, just to confirm the two new entries were successfully added.
C:\Windows\system32>setspn -L srv-mapping01
Registered ServicePrincipalNames for CN=srv-mapping01,OU=Robertson SERVER
S,OU=Robertson,DC=RobertsonTech,DC=com:
VeeamGuestHelperSvc/srv-mapping01
VeeamGuestHelperSvc/srv-mapping01.RobertsonTech.com
TERMSRV/srv-mapping01
TERMSRV/srv-mapping01.RobertsonTech.com
RestrictedKrbHost/srv-mapping01
HOST/srv-mapping01
RestrictedKrbHost/srv-mapping01.RobertsonTech.com
HOST/srv-mapping01.RobertsonTech.com
C:\Windows\system32>setspn -S http/srv-mapping01 RobertsonTech\svc-gis-fme
Checking domain DC=RobertsonTech,DC=com
Registering ServicePrincipalNames for CN=svc-gis-fme,OU=Security Accts M365
,OU=Security Accounts,OU=Robertson SERVICE ACCOUNTS,OU=Robertson,DC=park
landcounty,DC=com
http/srv-mapping01
Updated object
C:\Windows\system32>setspn -S http/srv-mapping01.RobertsonTech.com Robertso
nTech\svc-gis-fme
Checking domain DC=RobertsonTech,DC=com
Registering ServicePrincipalNames for CN=svc-gis-fme,OU=Security Accts M36
5,OU=Security Accounts,OU=Robertson SERVICE ACCOUNTS,OU=Robertson,DC=rober
tsontech,DC=com
http/srv-mapping01.RobertsonTech.com
Updated object
C:\Windows\system32>setspn -L srv-mapping01
Registered ServicePrincipalNames for CN=srv-mapping01,OU=Robertson SERVER
S,OU=Robertson,DC=RobertsonTech,DC=com:
WSMAN/srv-mapping01
WSMAN/srv-mapping01.RobertsonTech.com
VeeamGuestHelperSvc/srv-mapping01
VeeamGuestHelperSvc/srv-mapping01.RobertsonTech.com
TERMSRV/srv-mapping01
TERMSRV/srv-mapping01.RobertsonTech.com
RestrictedKrbHost/srv-mapping01
HOST/srv-mapping01
RestrictedKrbHost/srv-mapping01.RobertsonTech.com
HOST/srv-mapping01.RobertsonTech.comIf this still does not make sense, we found the video below to be very helpful for our new techs:
0 Comments