Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The setspn command-line tool is used to read, modify, and delete the Service Principal Name (SPN) directory property for an Active Directory (AD) service account. SPNs are essential for locating a target principal name associated with a service. With setspn, you can view existing SPNs, reset an account's default SPNs, and add or remove additional SPNs as needed.
It's unnecessary to manually modify SPNs since they're automatically set up when a computer joins a domain or when services are installed. However, SPN information can become outdated in certain cases. For instance, if a computer's name changes, the SPNs tied to its services need updating to match the new name. Additionally, some services and applications might require manual updates to a service account's SPN settings to ensure proper authentication.
In AD, the servicePrincipalName attribute is a multivalued, nonlinked attribute built from the Domain Name System (DNS) host name. SPNs are used for mutual authentication between the client and the server hosting a service. The client locates a computer account using the SPN of the service it's trying to connect to.
SPN format
When you modify SPNs using setspn, the SPN must be entered in the correct format. The format of an SPN is serviceclass/host:port/servicename, in which each item represents a name or value. Unless the service name and port aren't standard, you don't have to enter them when you use setspn. For example, the default SPNs for a server named WSRV2022 that is providing remote desktop (RDP) services over the default port TCP 3389 registers the following two SPNs in its own AD computer object:
TERMSRV/WSRV2022
TERMSRV/WSRV2022.contoso1.com
If you need to specify a nonstandard SPN configuration, see Name Formats for Unique SPNs.
Prerequisites
The Active Directory Domain Services (AD DS) role must be installed on your device. To learn more, see Install or Uninstall Roles, Role Services, or Features.
The devices in your environment must be domain-joined.
You must be a member of the Domain Admins or Enterprise Admins group.
- If you aren't a member of either the Domain Admins or Enterprise Admins groups, you must have read and write permissions on the
servicePrincipalNameattribute of the object in AD.
- If you aren't a member of either the Domain Admins or Enterprise Admins groups, you must have read and write permissions on the
Manage SPNs
Configuring SPNs in your environment can be performed using an elevated command prompt or elevated PowerShell window. See the following steps in configuring SPNs for your environment.
Command prompt method
To add an SPN, run the following command. Replace service/name with the SPN you want to add and hostname with the host name of the computer object you want to update:
setspn -S <service/name> <hostname>
For example, if there's an AD DC with the host name server1.contoso.com that requires an SPN for the Lightweight Directory Access Protocol (LDAP), type:
setspn -S ldap/server1.contoso.com server1
PowerShell method
In PowerShell, the Set-ADUser cmdlet is used for user accounts and Set-ADComputer for the computer name.
To add an SPN, run the following command. Replace UserName, ComputerName, and $spn = " " with the appropriate values for the user account or computer name:
$userID = "UserName"
$spn = "HTTP/webserver.domain.com"
Set-ADUser -Identity $userID -Add @{ServicePrincipalName=$spn}
$computerID = "ComputerName"
$spn = "HTTP/computerserver.domain.com"
Set-ADComputer -Identity $computerID -Add @{ServicePrincipalName=$spn}
Grant SPN permissions to non admins
For users who aren't part of the Domain Admins or Enterprise Admins group, they need the proper permissions to modify the SPNs. Granting these permissions can be performed through Active Directory Users and Computers (ADUC) or PowerShell. See the following steps.
In Server Manager, select Tools, then select Active Directory Users and Computers.
Select the View tab, then select Advanced Features.
In the left pane, right-click on the domain where you want to allow a disjoint namespace, then select Properties.
Select the Security tab, select Advanced.
Under the Permissions tab, select Add.
Select Select a principal, under Enter the object names to select, type the group or user account name to which you want to delegate permission, then select OK.
To view all available groups and user accounts in your domain, select Advanced, then select Find Now.
Under Applies to, select Descendant Computer objects.
Under Permissions, select Validated write to service principal name checkbox, then select OK on the three open dialog boxes to apply your changes.