SETSPN -A with Windows 2012 does a duplicate check upfront

Article
08/17/2012

If you have followed my posts, or caught my sessions at PASS, you may have figured out that Kerberos is one of my strength areas. I recently setup a Windows 2012 server to just see how SharePoint Integration with Reporting Services would work out.

As I was doing that, I knew I would need the HTTP SPN configured for my SharePoint server. As I created the SPN, I saw something very interesting.

The “Checking domain” piece made me assume that this was actually seeing if the SPN existed. Basically checking to make sure this wouldn’t be a duplicate. Then I decided to validate that assumption.

I have a bogus SPN sitting on my Claims Service account to allow me to setup delegation. I’m going to use that for the test. it is just “my/spn”

So, lets try adding that to another account.

That’s awesome!

I also found this documentation on TechNet discussing what is new with Kerberos in Windows 2012.

What's New in Kerberos Authentication (Windows 2012/Windows 8)
https://technet.microsoft.com/en-us/library/hh831747.aspx

Of note, this functionality actually existed within the Windows 2008/R2 SetSPN as the –S switch. With the Windows 2012 version, –A just behaves the same as –S now. Which is good.

Adam W. Saxton | Microsoft Escalation Services
https://twitter.com/awsaxton

Share via

SETSPN -A with Windows 2012 does a duplicate check upfront

Additional resources