Table of Contents
The full form of SPN is Service Principal Name. The name by which a client uniquely identifies an instance of a service is called an SPN, or service principal name.
Each instance of a service that is installed on computers scattered around a forest needs its own SPN. If a client may authenticate with more than one name, a given service instance may have numerous SPNs. A service instance might register an SPN for each name or alias of its host as an SPN always contains the name of the computer on which the service instance is operating.
A database called Active Directory (AD) contains Service Principal Names (SPNs), which describe which services are linked to which accounts. They are set up on each domain controller in the Active Directory environment.
How to Register or Add SPNs
Users can use the Setspn.exe application provided by Microsoft to manually register an SPN. You must be a domain admin or have the necessary credentials to use this utility and register an SPN. Another thing to keep in mind is that the -s option checks to see if the SPN you’re trying to define already exists.
Use the setspn -s command at a command prompt to add an SPN, where service/name is the SPN you want to add and hostname is the actual hostname of the computer object you wish to update. Use the syntax listed below to configure your SPN using your FQDN. Whereas the domain account utilized for the web application pool is techdirectarchiMBAM-IISAP-SVC, and the fully qualified domain name is mbamserv1.techdirectarchi.local.
Note: If you do not have administrative rights to construct SPNs, you must use the following command to request assistance from the Active Directory administrators in your business. Use the command below to set this as the NetBIOS hostname.
- setspn.exe -S http/mbamserv1 techdirectarchi\MBAM-IISAP-SVC
When used by machines running Microsoft Windows, Service Principal Names (SPNs) are not case-sensitive. An SPN, however, can be utilized by any kind of computer system. Many of these computer systems, particularly those based on UNIX, are case-sensitive and necessitate the correct case in order to operate correctly. When an SPN can be utilized by a computer that is not Windows-based, care should be made to use the correct case.
How to Check SPNs
Use the setspn -l hostname command at a command prompt to display a list of the SPNs that a computer has registered with Active Directory, where hostname is the actual hostname of the computer object you want to query. Run the following command, replacing mbamserv1 with the name of my server, to see the list of SPNs registered to target accounts for that particular server.
- SETSPN -L mbamserv1
How and When to Change an SPN
SPNs don’t typically need to be modified. The majority of the time, a computer creates them when it joins a domain and when services are installed on the machine. However occasionally, this knowledge can become outdated. For instance, the SPNs registered for the installed services must be updated to reflect the new machine name if the computer name is changed. Additionally, to correctly authenticate, some services and applications might need the SPN information for a service account to be manually changed.
Reset an SPN
If the SPNs you see for your server appear to be the wrong names, you might want to think about resetting the machine so that it uses the default SPNs. To change the default SPN settings, open a command prompt and type the setspn -r hostname command. In this command, hostname should be replaced with the actual host name of the computer object whose settings you want to change.
Remove an SPN
In order to delete an SPN, run the setspn-d service/name hostname command when prompted at the command prompt. The SPN that needs to be removed should be referred to as service/name, and the host name of the computer object that needs to have its information changed should be referred to as hostname.
Conclusion
SPN is a very efficient and useful tool in your computers. Your Windows server or PC already has SetSPN installed. Workstations or member servers can both run SetSPN. It may be used to add, delete, and look for duplicate SPNs in the domain. Service Principal Names can be added to an AD account also. Therefore, this feature will make your work more organized and easy.
Full Form of SPN FAQs
Why does one need to register an spn?
The SPN must be registered on the user or computer account that the service instance will use to log on before a client can use it to authenticate a service instance. Typically, a service installation programme executing with domain administrator access registers SPNs.
What is the Setspn.exe tool?
Setspn.exe allows you to read, change, and remove an Active Directory service account's SPN directory property. To find a target principal name for a service to run under, SPNs are employed. You can view the current SPNs, change the account's default SPNs, and add or remove additional SPNs using the SetSpn.exe utility.
What is Kerberos?
Authentication is handled through the use of the Kerberos protocol. It is the name of a certain type of framework. Getting tickets requires going through a number of hoops and using a server that is run by a third party. This server is known as the Key Distribution Center (KDC).