Update: Most recent SetSPN ramblings (short: use -S instead of -A).
All this stuff is based on a prerelease (RC1) version of Windows Server 2008 and may change before final release. Cheques may not be honoured.
I had a happy moment one night in India when the trainer for our IIS 7.0 TTT course discussed some of the Kerberos-related improvements in IIS7.
... SetSPN got revamped! And it's available from the Download Centre for Windows Server 2003 .
We all know (or knew, before my wiki collapsed) that duplicate Kerberos SPNs are bad. (The Wiki is still down, by the way, sorry).
We know that it's been a little bit iffy configuring said SPNs and that the chance of getting it wrong was quite high - there was no control that prevented the registration of the same SPN twice, against different accounts.
Worse: SetSPN was focused on the account (security principal) only - if you thought you had a duplicate, you needed to use a customized LDIFDE command to track it down based on the SPN, as SetSPN wouldn't search by SPN, only by account.
Buuut: Some wonderful SDE that should really be on my Christmas card list decided that SetSPN could become an all-singing all-dancing SPN troubleshooting tool!
Yes folks, SetSPN now has SANITY CHECK (-S) switches and FIND THE PROBLEM (-X) switches! HOW COOL IS THAT!?
In order to not break backwards compatibility (I infer; I didn't actually participate in the conversation or decision making process), these are implemented as new switches, not old ones: Existing scripts that rely on creating duplicates (and then presumably resolving that situation shortly afterwards) won't (er, shouldn't) suddenly break.
C:\Users\Administrator>setspn Usage: setspn [modifiers switches data] computername Where 'computername' can be the name or domain\name Modifiers: -F = perform the duplicate checking on forestwide level -P = do not show progress (useful for redirecting output to file) Switches: -R = reset HOST ServicePrincipalName Usage: setspn -R computername -A = add arbitrary SPN Usage: setspn -A SPN computername -S = add arbitrary SPN after verifying no duplicates exist Usage: setspn -S SPN computername -D = delete arbitrary SPN Usage: setspn -D SPN computername -L = list registered SPNs Usage: setspn [-L] computername -Q = query for existence of SPN Usage: setspn -Q SPN -X = search for duplicate SPNs Usage: setspn -X Examples: setspn -R daserver1 It will register SPN 'HOST/daserver1' and 'HOST/{DNS of daserver1}' setspn -A http/daserver daserver1 It will register SPN 'http/daserver' for computer 'daserver1' setspn -D http/daserver daserver1 It will delete SPN 'http/daserver' for computer 'daserver1' setspn -F -S http/daserver daserver1 It will register SPN 'http/daserver' for computer 'daserver1' if no such SPN exists in the forest
C:\Users\Administrator>setspn Usage: setspn [modifiers switches data] computername Where 'computername' can be the name or domain\name
Modifiers: -F = perform the duplicate checking on forestwide level -P = do not show progress (useful for redirecting output to file)
Switches: -R = reset HOST ServicePrincipalName Usage: setspn -R computername -A = add arbitrary SPN Usage: setspn -A SPN computername -S = add arbitrary SPN after verifying no duplicates exist Usage: setspn -S SPN computername -D = delete arbitrary SPN Usage: setspn -D SPN computername -L = list registered SPNs Usage: setspn [-L] computername -Q = query for existence of SPN Usage: setspn -Q SPN -X = search for duplicate SPNs Usage: setspn -X
Examples: setspn -R daserver1 It will register SPN 'HOST/daserver1' and 'HOST/{DNS of daserver1}' setspn -A http/daserver daserver1 It will register SPN 'http/daserver' for computer 'daserver1' setspn -D http/daserver daserver1 It will delete SPN 'http/daserver' for computer 'daserver1' setspn -F -S http/daserver daserver1 It will register SPN 'http/daserver' for computer 'daserver1' if no such SPN exists in the forest
So, any instructions out there that currently use the positively archaic SETSPN -A can now be updated to use the shiny new SETSPN -S.
Again, I ask you: How cool is that!?
I should add that I haven't actually tried this yet, just gurgled at the wonderful new options and imagined their effect. If it throws a "NotYetImplementedException", please forgive my enthusiasm :)