Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008
Tool Location
The Setspn command-line tool is included when you install Windows Server 2003 Support Tools from the product CD or from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=100114). For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?LinkId=62270).
Setspn.exe: Manipulate Service Principal Names for Accounts
This command-line tool allows you to read, modify, and delete the Service Principal Names (SPN) directory property for an Active Directory service account. SPNs are used to locate a target principal name for running a service. You can use Setspn to view the current SPNs, reset the account's default SPNs, and add or delete supplemental SPNs.
It is not usually necessary to modify SPNs. They are set up by a computer when it joins a domain and when services are installed on the computer. In some cases, however, this information can become stale. For instance, if the computer name is changed, the SPNs for installed services must be changed to match the new computer name. Also, some services and applications may require manual modification of a service account's SPN information to authenticate correctly.
Corresponding UI
There is no corresponding user interface (UI) for this tool.
Concepts
In Active Directory, the servicePrincipalName (SPN) attribute is a multivalued, nonlinked attribute that is built from the DNS host name. The SPN is used in the process of mutual authentication between the client and the server hosting a particular service. The client finds a computer account based on the SPN of the service to which it is trying to connect.
System Requirements
The following are the system requirements for Setspn:
- Windows XP Professional or Windows Server 2003
File Required
- Setspn.exe
Permission Requirements
To perform the tasks that are described in the following sections, you must have membership in Domain Admins, Enterprise Admins, or you must have been delegated the appropriate authority. For information on delegating the permissions to modify SPNs, see Delegating Authority to Modify SPNs.
Using Setspn.exe
When you install the Setspn.exe tool from Windows Server 2003 Support Tools, you should be able to access the tool at a command prompt (cmd.exe).
To start using Setspn.exe-
Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then press ENTER.
-
At the command prompt, type setspn, and then press ENTER.
You should see the setspn command syntax with usage and switches. If you see a message indicating that setspn is not recognized as an internal or external command, use the following steps to change to the Support Tools folder and run the setspn command.
- To change to the default Support Tools directory, at the command prompt, type cd "c:\Program Files\Support Tools", and then press ENTER.
- At the command prompt, type setspn, and then press ENTER.
- To change to the default Support Tools directory, at the command prompt, type cd "c:\Program Files\Support Tools", and then press ENTER.
The following sections describe how to run basic Setspn.exe commands. For additional information about the options for Setspn.exe, see Setspn Syntax, Setspn Remarks, and Setspn Examples.
SPN Format
When you manipulate SPNs with the Setspn tool, the SPN must be entered in the correct format. The format of an SPN is serviceclass/host:port/servicename, in which each item represents a name or value. Unless the service name and port are not standard, you do not have to enter them when you use Setspn. For example, if you have a service with the following characteristics:
- Name: MyService
- Running on a computer named DCA
- Uses the TCP or UDP port 8088
- Service name: MyS
- Location: in the directory under an organizational unit (OU) named CS, in a domain named cpandl.com
the SPN looks like the following:
MyService/DCA.cpandl.com:8088/CN=MyS,OU=CS,DC=cpandl,DC=com
The remaining examples in this topic assume that the default port and service name are used for SPNs, which is typical. Unless the service name and port are not standard, you do not have to enter them when you use Setspn. If you need more information about specifying a nonstandard SPN configuration, see Name Formats for Unique SPNs (http://go.microsoft.com/fwlink/?LinkId=102555).
Assume that there is a server named WS2003A that is providing remote desktop (RDP) services over the default port (TCP 3389). This server registers the following two SPNs in its own Active Directory computer object:
TERMSRV/WS2003A
TERMSRV/WS2003A.cpandl.com
Viewing SPNs
To view a list of the SPNs that a computer has registered with Active Directory from a command prompt, use the setspn -l hostname command, where hostname is the actual host name of the computer object that you want to query.
 Note |
|---|
| To find the host name for a computer from a command prompt, type hostname, and then press ENTER. |
For example, to list the SPNs of a computer named WS2003A, at the command prompt, type setspn -l S2003A, and then press ENTER. A domain controller named WS2003A in Cpandl.com, which is also functioning as a global catalog server and Domain Name System (DNS) server, registers the following SPNs:
Registered ServicePrincipalNames for CN=WS2003A,OU=Domain Controllers,DC=cpandl,DC=com:
ldap/WS2003A.cpandl.com/ForestDnsZones.cpandl.com
ldap/WS2003A.cpandl.com/DomainDnsZones.cpandl.com
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/WS2008A.cpandl.com
DNS/WS2003A.cpandl.com
GC/WS2003A.cpandl.com/cpandl.com
HOST/WS2003A.cpandl.com/CPANDL
HOST/WS2003A
HOST/WS2003A.cpandl.com
HOST/WS2003A.cpandl.com/cpandl.com
E3514235-4B06-11D1-AB04-00C04FC2DCD2/70906edd-c8a5-4b7d-8198-4f970f7b9f52/cpandl.com
ldap/70906edd-c8a5-4b7d-8198-4f970f7b9f52._msdcs.cpandl.com
ldap/WS2003A.cpandl.com/CPANDL
ldap/WS2003A
ldap/WS2003A.cpandl.com
ldap/WS2003A.cpandl.com/cpandl.com
The globally unique identifier (GUID) 70906edd-c8a5-4b7d-8198-4f970f7b9f52 identifies the NTDS Settings object of the domain controller (NTDS-DSA), which is unique for each domain controller. The other two GUIDs, NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232 and E3514235-4B06-11D1-AB04-00C04FC2DCD2, identify the File Replication Service (NTFRS) and the Directory Replication Service (DRS) remote procedure call (RPC), respectively, and they are standard SPNs for all domain controllers.
| Note |
|---|
| If constrained delegation is in use on a Windows Server 2003 computer that requires an SPN modification, some SPNs may not appear. For more information, see article 936628 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=102306). |
Resetting SPNs
If the SPNs that you see for your server display what seems to be incorrect names; consider resetting the computer to use the default SPNs. To reset the default SPN values, use the setspn -r hostname command at a command prompt, where hostname is the actual host name of the computer object that you want to update.
For example, to reset the SPNs of a computer named server2, type setspn -r server2, and then press ENTER. You receive confirmation if the reset is successful. To verify that the SPNs are displayed correctly, type setspn -l server2, and then press ENTER.
| Note |
|---|
| For information related to troubleshooting SPN issues, see Service Logons Fail Due to Incorrectly Set SPNs (http://go.microsoft.com/fwlink/?LinkId=102554). |
Adding SPNs
To add an SPN, use the setspn -a service/namehostname command at a command prompt, where service/name is the SPN that you want to add and hostname is the actual host name of the computer object that you want to update. For example, if there is an Active Directory domain controller with the host name server1.contoso.com that requires an SPN for the Lightweight Directory Access Protocol (LDAP), type setspn -a ldap/server1.contoso.com server1, and then press ENTER to add the SPN.
Removing SPNs
To remove an SPN, use the setspn -d service/namehostname command at a command prompt, where service/name is the SPN that is to be removed and hostname is the actual host name of the computer object that you want to update. For example, if the SPN for the Web service on a computer named Server3.contoso.com is incorrect, you can remove it by typing setspn -d http/server3.contoso.com server3, and then pressing ENTER.
For more information about SPNs, see Service Principal Names (http://go.microsoft.com/fwlink/?LinkId=102556).
More Information:
A Security Principle is created to authorize Kerberos communication. NTLM, the default windows security protocol, does not allow security tokens to be passed from one server to the other.
The SetSPN command line tool is not available on a Windows 2003 Server by default. It is part of Windows Support Tools utility. Windows Support Tools can be installed from the Windows Server 2003 installation CD.
To install the SetSPN Windows Support Tools utility on a Windows 2003 Server:
1. Open Windows Explorer to the folder where you copied the Windows Support Tools package.
2. Run the following file: SUPTOOLS.MSI
SetSPN is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use setspn, you must run the setspn command from an elevated command prompt.
To grant the remote database access privileges to a Domain account using the SetSPN utility:
1. IMPORTANT: Log into Windows using a Domain Administrator account. This level of security
privileges is required to successfully complete the remaining steps.
2. To access SetSPN:
• For Windows Server 2003 - Run Start > Programs > Support Tools > Command Prompt
to open a command prompt.
• For Windows Server 2008 - Click Start, right-click Command Prompt, and then click
Run as administrator.
3. Set a fully qualified domain name, friendly name, and DNS name on the Server machine so that any client can access it:
a. To set the fully qualified domain name, execute the SetSPN command using the
following syntax:
setspn –a http/machinename.domain.com domain\username
IMPORTANT: Be sure to include the Domain Name in the command prompt:
machinename.domain.com. The machinename refers to the machine name.
b. To set the friendly name, execute the setspn command using the following syntax:
setspn –a http/machinename domain\username
c. To set the DNS Name or Alias used to abstract the physical hardware execute the setspn
command using the following syntax: setspn –a http/dns domain\username
4. Verify whether this has been properly set by running the following command:
setspn –l domain\username
The result should list http/machinename.domain.com.
No comments:
Post a Comment