Categories: Windows Server

SOLVED: What is a Service Principal Name and How To Add a Service Principal Name

Service Principal Names (SPN) are user accounts in Active Directory that are usually created automatically by programs you are installing to allow them to have additional rights beyond what most programs do.

You can see the Service Principal Names accounts in Active Directory Users and Computers but you can not see that they are Service Principals there (unless you go into ATTRIBUTE EDITOR and search for servicePrincipalName).

To make view or make changes to SPNs, you must be logged onto a Domain Controller as either a Domain Admin or an Enterprise admin and you must use an elevated Command Prompt (ie. AS ADMIN). The SETSPN command is the tool to modify Service Principal Names.

An SPN has three parts but only two are commonly used:

  1. the service
  2. the server the service is on
  3. the port number (only used if it is not the default port… so very rarely used)

In the example below we ran four setspn commands you will likely find useful:

  1. setspn -L srv-mapping01
    This command LISTS the Service Principal Names stored in Active Directory that relate to SRV-MAPPING01
  2. setspn -S http/srv-mapping01 RobertsonTech\svc-gis-fme Checking domain DC=RobertsonTech,DC=com
    This command SETS (i.e. adds) the HTTP service on the server with host name SRV-MAPPING01 to the ActiveDirectory account ROBERTSONTECH\SVC-GIS-FME
    Note that we did not specify a port number here, so http will operate on the default port 80
  3. setspn -S http/srv-mapping01.RobertsonTech.com Robertso nTech\svc-gis-fme
    This is the same command as notes above, except it includes the fully qualified domain name of the server which is srv-mapping01.RobertsonTech.com.
    It is common to add both the host name and the fully qualified host name, as we have done in steps 2 and 3 here.
  4. setspn -L srv-mapping01
    Listing the SPN entries for server srv-mapping01 again, just to confirm the two new entries were successfully added.

C:\Windows\system32>setspn -L srv-mapping01
Registered ServicePrincipalNames for CN=srv-mapping01,OU=Robertson SERVER
S,OU=Robertson,DC=RobertsonTech,DC=com:
        VeeamGuestHelperSvc/srv-mapping01
        VeeamGuestHelperSvc/srv-mapping01.RobertsonTech.com
        TERMSRV/srv-mapping01
        TERMSRV/srv-mapping01.RobertsonTech.com
        RestrictedKrbHost/srv-mapping01
        HOST/srv-mapping01
        RestrictedKrbHost/srv-mapping01.RobertsonTech.com
        HOST/srv-mapping01.RobertsonTech.com
C:\Windows\system32>setspn -S http/srv-mapping01 RobertsonTech\svc-gis-fme
Checking domain DC=RobertsonTech,DC=com

Registering ServicePrincipalNames for CN=svc-gis-fme,OU=Security Accts M365
,OU=Security Accounts,OU=Robertson SERVICE ACCOUNTS,OU=Robertson,DC=park
landcounty,DC=com
        http/srv-mapping01
Updated object

C:\Windows\system32>setspn -S http/srv-mapping01.RobertsonTech.com Robertso
nTech\svc-gis-fme
Checking domain DC=RobertsonTech,DC=com

Registering ServicePrincipalNames for CN=svc-gis-fme,OU=Security Accts M36
5,OU=Security Accounts,OU=Robertson SERVICE ACCOUNTS,OU=Robertson,DC=rober
tsontech,DC=com
        http/srv-mapping01.RobertsonTech.com
Updated object

C:\Windows\system32>setspn -L srv-mapping01
Registered ServicePrincipalNames for CN=srv-mapping01,OU=Robertson SERVER
S,OU=Robertson,DC=RobertsonTech,DC=com:
        WSMAN/srv-mapping01
        WSMAN/srv-mapping01.RobertsonTech.com
        VeeamGuestHelperSvc/srv-mapping01
        VeeamGuestHelperSvc/srv-mapping01.RobertsonTech.com
        TERMSRV/srv-mapping01
        TERMSRV/srv-mapping01.RobertsonTech.com
        RestrictedKrbHost/srv-mapping01
        HOST/srv-mapping01
        RestrictedKrbHost/srv-mapping01.RobertsonTech.com
        HOST/srv-mapping01.RobertsonTech.com

If this still does not make sense, we found the video below to be very helpful for our new techs:



Published by
Ian Matthews

This website uses cookies.