Spn microsoft

Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy. A service principal name SPN is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. If the domain to which you want to allow a disjoint namespace does not appear in the console, take the following steps:. In the Domain box, type the name of the Active Directory domain to which you want to allow the disjoint namespace, and then click OK.

As an alternative, you can use the Browse button to locate the Active Directory domain. In the console tree, right-click the node that represents the domain to which you want to allow a disjoint namespace, and then click Properties. In Enter the object name to select , type the group or user account name to which you want to delegate permission, and then click OK. At the bottom of the Permissions box, select the Allow check box that corresponds to the Validated write to service principal name permissions, and then click OK on the three open dialog boxes to confirm your changes.

However, if you are using Windows Server or earlier, you will not be able to use the -S switch because it is not available for that platform. In the case where you cannot use -S, then you should manually verify that there are no duplicate SPNs by first running Setspn -L. The syntax is:. Normally, this is the NetBIOS name of the computer and optionally the domain that contains the computer account. However, any desired Active Directory object name can be used. Displays help at the command prompt.

This parameter is the default: if you run setspn run without this parameter displays the SPN command-line usage. If neither is specified, the tool will interpret accountname as a computer name if such a computer exists, and a user name if it does not. Usage: setspn -T domain switches and other parameters. Query Mode modifiers can be used with the -S switch in order to specify where the check for duplicates should be performed before adding the SPN.

Service Principal Names SPNs are not required to be unique across forests, but duplicate SPNs can cause authentication issues during across-forest authentication. SPNs can only be constructed by using the account base name as the Computer parameter. The directory service enforces this by generating a constraint violation error.

You may not have the rights to access or modify this property on some account objects. You can determine what your access rights are by viewing the security attributes of the account object using the Microsoft Management Console MMC in Active Directory Users and Computers. Quit adCmd. Execute if adRecordSet. EOF and adRecordSet. Bof Then WScript. Echo adRecordSet. Fields "dnsHostName" else WScript. Echo "" If adRecordset. Close adConn. First paramenter is the filter value and second param is filter category.

Bof Then else Do While not adRecordset. Do you want to continue? Use search option for finding the account that it is set for" WScript. Quit End If WScript. Quit Else WScript. Use search option to find the account the SPN is set to. Kerberos authentication may fail when the required SPNs are set for the computer accounts or for the domain accounts. However, if the URL that the user types is associated with more than one user account or with more than one computer account, you have a duplicate SPN.

Verify that the SPNs have replicated to other domain controllers. Replication issues between the domain controllers can prevent the SPNs from replicating to the other domain controllers. When the SPNs do not replicate to the other domain controllers, the application may not work from some client computers. Note By default, replication takes 15 minutes.

Verify that the Web server is configured to support Kerberos authentication. Verify that the server or service that is delegating the credentials is trusted for delegation. Verify that the account that the service is running under is trusted for delegation. In Active Directory, verify that the Account is sensitive and cannot be delegated check box is cleared for users who access the application. If you are accessing the application directly from the server, verify that the Loopback Security Check check box is cleared.

For more information about how to verify that the loopback check is disabled, click the following article number to view the article in the Microsoft Knowledge Base: You receive error Version history. Last update:. Updated by:. Education Microsoft in education Office for students Office for schools Deals for students and parents Microsoft Azure in education.

The user account in the mydomain domain that is used for the application pool identity. The user account in the mydomain domain that is used for the second application pool identity. The fully qualified domain name of a cluster of computers that are running Microsoft Exchange on IIS.