Hi!

You might remember me from such posts as Kerbie Goes Bananas, and SetSPN improvements for Windows 2008. Or something.

I'm here with a public service announcement! Excitement!

It's been long enough since Windows 2008 (and the downlevel release of SetSPN) that I feel comfortable respectfully asking you to please:

Search and Replace SetSPN -A with SetSPN -S.

In your organization, if you ever happen to run across a document that describes a procedure that looks anything like this:

SetSPN -A http/yourwebfarm DOMAIN\YourFarmAccount

Please:

  •  mail the author, or
  •  file a bug against the content, or
  •  use the Community Content feature if it's somewhere on Technet, or
  •  mail anyone and everyone responsible for upkeep or implementation of that document

to change the SETSPN -A command to a SETSPN -S.

You may need to include a foreword describing where to get the 2008 version of SetSPN (I think I may have just spoiled it for you) if you're still strongly a 2003/XP shop, with no newer SetSPN-toting OSs available.

Why the change?

Because it'll hurt you less in the long run.

The original release of SetSPN was strongly account-centric. Given a Windows account, it would let you:

  • Add an SPN to that account
  • Remove an SPN from that account
  • List the SPNs associated with that account

Unfortunately, this makes it very easy to add the same SPN to multiple accounts - creating a duplicate SPN. This is a very bad thing.

The same SPN can't easily be added more than once to the same user account, but the original tool does nothing to prevent the same SPN being added to multiple user accounts - and unfortunately, that's exactly the situation you're trying to avoid.

BAD EXAMPLES BAD BAD DO NOT USE BAD

Any of

  • SETSPN -A http/farm DOMAIN\FarmUser
  • SETSPN -A http/farm DOMAIN\FarmComputer$

or

  • SETSPN -A http/farm DOMAIN\FarmComputer1$
  • SETSPN -A http/farm DOMAIN\FarmComputer2$

or

  • SETSPN -A http/farm ANYTHING followed by
  • SETSPN -A http/farm ANYTHING_ELSE

breaks kerberos for http://farm.

To restate the rule: One SPN can be associated with precisely one account.

So please, use SetSPN -S

And that's exactly what SETSPN -S is designed to prevent. SETSPN -S performs a quick check for duplicates before adding an SPN - which is the best possible time at which to catch the problem. So yay-the-Windows-2008-AD-team.

Duplicates! Gotta Catch 'Em All 2011 Edition

If you suspect you have duplicate SPNs in your environment, well, why just suspect? Run

  • SETSPN -X

To be told explicitly what duplicates you have kicking around in AD (there are forestwide switches you can use too). Yep, that used to be a nasty LDIFDE export with an LDAP filter expression; much simpler now!