7,023 questions
Do you have the same error when you use the command setspn :
setspn -d MSSQLSvc/servername.domainname.local:1433 sqlsvc.admin
Please don't forget to accept helpful answer
Unable to edit Service Principal Name for certain users.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 15%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
Moshiur (Moshiur Khan)
80
Reputation points
To avoid a kerberoasting issue, a client made a request to identify the users and take the necessary actions.
Removing the Service Principal Name seems to be the solution, but I have been unsuccessful in removing the SPN using the normal means.
The normal means:
- Through Attribute Editor:
find the users (Sqlsvcadmin, -client created adminuser-) in their respective OUs, open properties, go to attribute editor and edit.
Result: No edit option. SPN seems to be view only. - Through powershell:
Ran this code with admin privileges:
Set-ADUser -Identity sqlsvc.admin -ServicePrincipalNames @{Remove='MSSQLSvc/servername.domainname.local:1433'}
Result: an error showing the current user account does not have the required privilege.
Some things to note:
The user account used for the above scenarios is a domain admin with the schema admin and enterprise admin role. Verified the account is able to edit spn just fine.
The user account sqlsvcadmin mentioned to be edited is a service account and are a part of the domain admin group. The client created admin user shared the same spn but we are unable to remove it from that user either.
After my research I've come to the conclusion that it must be a service dependency that is denying the modification of the SPN.
I would like some insight and possible solutions to this issue.
-Cheers
Moshiur
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,261 Reputation points Moderator2023-12-17T22:59:44.17+00:00
-
Moshiur (Moshiur Khan) 80 Reputation points
2023-12-18T00:02:25.2366667+00:00 Hey there! Yes, I've tried that command as well. As mentioned in the post, for some reason I'm not able to edit/modify the spn at all even as domain admin for those two accounts specifically.
-
Thameur-BOURBITA 36,261 Reputation points Moderator
2023-12-18T11:24:38.92+00:00 By default domain admins is able to modify the SPN of each domain account.
However , may be this herited permission has been removed or a Deny access has been configured on this account to prevent the SPN modification on this account :
Please don't forget to accept helpful answer
-
Moshiur (Moshiur Khan) 80 Reputation points
2023-12-19T10:11:10.1133333+00:00 Hi Thameur,
Can you guide me to the window you've shared on that screenshot? I can't seem to find it through ordinary means.
-
Thameur-BOURBITA 36,261 Reputation points Moderator
2023-12-19T13:11:05.88+00:00 You can open Active Directory Administrative Center and search target account and click on security tab. there you will find all security permission (Allow and deny) for this object:
Please don't forget to accept helpful answer and close this thread
-
Moshiur (Moshiur Khan) 80 Reputation points
2023-12-20T05:30:16.65+00:00 Hi Thameur,
I followed your suggestion and found that there were no issues in perms. Domain admin has the right to change spn and the no deny policy is in play.
-
Thameur-BOURBITA 36,261 Reputation points Moderator
2023-12-20T06:08:54.96+00:00 Did you try to make the change directly on Active Directory?
Did you try with another account?
Please don’t forget to accept helpful answer
-
Moshiur (Moshiur Khan) 80 Reputation points
2023-12-20T06:23:44.6233333+00:00 Yes to both.
-
Thameur-BOURBITA 36,261 Reputation points Moderator
2023-12-20T07:10:05.48+00:00 Did you try to edit spn using graphical mode?
Try launching Active Directory Administrative Center as administrator and search the service account and go to attribute tab to edit SPN .
Please don’t forget to accept helpful answer
-
Moshiur (Moshiur Khan) 80 Reputation points
2023-12-20T07:43:43.5233333+00:00 Yes. Still can't edit it there either.
-
Thameur-BOURBITA 36,261 Reputation points Moderator
2023-12-20T15:17:54.5666667+00:00 Did have the same behavior if you create new service account and put it same OU ?
can you please share with us what you see in the security tab for this service account and it's OU ?
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2023-12-18T06:00:26.5866667+00:00 Hello
Moshiur (Moshiur Khan),Thank you for posting in Q&A forum.
You can give the permissions to the domain admin and check the result.
Right click the user you want to remove/delete the SPN from.
And select Properties and Security tab.
Check if the domain admin has permissions
Read ServicePrincipleName
Write ServicePrincipleName
Or
Read msDS-PrincilpeName
Read msDS-PrincilpeNameIf no, you can try to give him/her permissions above.
If it odes not work, you can give him/her permissions below.
read all properties
write all propertiesHope the information above is helpful.
If you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou-
Moshiur (Moshiur Khan) 80 Reputation points
2023-12-18T06:12:01.7633333+00:00 Thank you for the suggestions @Anonymous , but as mentioned in the description the domain admins are able to modify spn attribute for other users just fine. My request was to identify whether my conclusion of the denial to change of spn is a service dependency enforced on the specific user/service account or not.
Thanks,
Moshiur
Sign in to comment -