Avoiding duplicate Service Principal Names when using setspn.exe

August 5, 2010 2 Comments

Heres a quick Kerberos tip I was given the other day :

When registering a SPN with setspn.exe, rather than use setspn -a, use setspn -s  as this will take a little longer but it will check to ensure that that Service Principal Name (SPN) is not registered anywhere else.  This is  a very handy little feature!

C:\Users\Administrator>setspn -S http/server.demo.com spservice
Checking domain DC=demo,DC=com
Registering ServicePrincipalNames for CN=SPService,OU=Service Accounts,DC=demo,DC=com
http/server.demo.com
Updated object

C:\Users\Administrator>setspn -S http/server.demo.com spservice
Checking domain DC=demo,DC=com
CN=SPService,OU=Service Accounts,DC=demo,DC=com
http/server.demo.com
Duplicate SPN found, aborting operation!

How cool is that?  Wish I'd known about this a long time ago!  Bear in mind that it was only introduced in Server 2008, so it has not really been around all that long.
Advertisement

Filed under Kerberos Tagged with , , ,

2 Responses to Avoiding duplicate Service Principal Names when using setspn.exe

  1. emt training says:
    August 9, 2010 at 7:54 am

    Keep posting stuff like this i really like it

    Reply
  2. Dan Clements says:
    January 27, 2011 at 2:54 pm

    Hey Rhodes – good old “setspn -q” is a great one to run as well before registering new SPNs.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: