How to correctly set SPN on gMSA used for scheduled tasks

David Hood 41 Reputation points

I need to know how EXACTLY to set a SPN for a new gMSA that I am about to create. I have read many articles for creating a gMSA, but they all have a generic "SPN1, SPN2" for the examples or something referencing SQL instances for the SPN. What is the format or wording that the SPN needs to be set to?
I am creating our first gMSA in AD (Domain functional level is 2016) and this one will be only for scheduled tasks on one or two servers to start with. Then I will look into creating one for SQL services after I get this correct.
If I create a gMSA with the name as "TaskAcct", then do I create a SPN for it like "http\taskacct? How do I do this. I feel there is very little to no documentation on how to do this correctly. If I set one up for a SQL service, or any other service for an application to run as that account, what would the SPN look like?

I checked this but that didn't help much.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
4,334 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,427 questions
0 comments No comments
{count} votes

Accepted answer
  1. cthivierge 3,981 Reputation points

    Well... it depends what is your goal.

    Let me explain...

    When you configure a SPN on a Server, it's to give the ability to a client to connect to this service using Kerberos authentication.

    If it's a schedule task that run on a Windows Server and only this server will make the calls to other servers, there is no need to create a SPN because nobody will call the scheduler.

    The SPN has to be configured on the Active Directory object where the service is running

    For example,
    Let say you have a SQL Server instance (let say the default instance) that is running on SQL001
    The SQL Engine Service is configured to run using the computer account.
    In that case, the SPN has to be configured on the computer account SQL001 because when clients will try to connect to the SQL Server (SQL001), they will request a Kerberos ticket that match the server name.
    I that case, the command to register the SPN would be --> setspn -S MSSQLSvc/SQL001 SQL001

    Another scenario is if the same SQL Server is configured to run using a Group Managed Service Account (gMSA) called gmsa_sql$
    In this scenario, the SPN has to be configured on the gmsa_sql$ account.
    I that case, the command to register the SPN would be --> setspn -S MSSQLSvc/SQL001 gmsa_sql$


2 additional answers

Sort by: Most helpful
  1. cthivierge 3,981 Reputation points

    The SPN creation format is the following

    setspn -S [Service]/HostName account

    The service that will be accessed is HTTP
    The host (The server where the gmsa will run) is Server01
    The account (the gMSA account) is gmsa_taskAcct

    The command will be the following:
    setspn -S HTTP/Server01 gmsa_taskAcct$

    If your users will access the server using the FQDN, also add the long name like that:
    setspn -S HTTP/ gmsa_taskAcct$


  2. Limitless Technology 37,771 Reputation points

    Hello DavidHood,

    A prerequisite to configuring an assessment scheduled task to run as an MSA is to provision or create the MSA in Active Directory Domain Services. Each of the supported assessments specifies the authorization and access requirements of the scheduled task account to successfully run.

    Consult supported assessment getting started documents and prerequisite documents for access requirement details of the scheduled task account.

    There are two types of managed service accounts. Either may be configured for the assessment scheduled task for the supported assessments:

    Standalone Managed Service Accounts (also known as Virtual Accounts) can only be authorized to authenticate on a single domain joined computer.
    Group Managed Service Accounts can be authorized to authenticate on several domain computers.

    The Windows PowerShell Active Directory module is required for provisioning and configuring both types of MSAs. Domain controllers typically have this PowerShell module installed during installation of the domain controller role.

    The module, a component of the Remote Server Administrator Tools, may be added to Windows Server SKUs via Server Manager. The module may also be added to Windows 1

    Here’s a link that will help guide you as well:

    0 comments No comments