CSS SQL Server Engineers

This is the official team Web Log for Microsoft Customer Service and Support (CSS) SQL Support. Posts are provided by the CSS SQL Escalation Services

Searching for Duplicate SPN's got a little easier

Searching for Duplicate SPN's got a little easier

  • Comments 3

We get a lot of calls related to Kerberos configuration, and I'm planning to write more about our experiences and troubleshooting techniques for these types of issues across the box (Engine, AS and RS). 

With Windows 2000/2003 SetSPN had only a few commands associated with it.

Switches:
-R = reset HOST ServicePrincipalName
  Usage:   setspn -R computername
-A = add arbitrary SPN
  Usage:   setspn -A SPN computername
-D = delete arbitrary SPN
  Usage:   setspn -D SPN computername
-L = list registered SPNs
  Usage:   setspn [-L] computername

The other problem was that SetSPN was part of the Resource Kit and did not ship with the OS.

This has changed in Windows 2008.  SetSPN is now part of the OS from the moment you install it.  They have also improved what SetSPN can do.  Namely the ability to look for duplicate SPNs.  In the past I have used numerous tools to look for duplicate SPNs.  This ranged from DHDiag (an internal CSS tool that uses LDIFDE) to queryspn.vbs to DelegConfig

Here are the new switches for SetSPN that ships with Windows 2008:

Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)

Switches:
-R = reset HOST ServicePrincipalName
Usage:   setspn -R computername
-A = add arbitrary SPN
Usage:   setspn -A SPN computername
-S = add arbitrary SPN after verifying no duplicates exist
Usage:   setspn -S SPN computername
-D = delete arbitrary SPN
Usage:   setspn -D SPN computername
-L = list registered SPNs
Usage:   setspn [-L] computername
-Q = query for existence of SPN
Usage:   setspn -Q SPN
-X = search for duplicate SPNs
Usage:   setspn -X

The Q switch is really the nice feature here.  This allows you to see if an SPN is already out on your domain.  You could also combine this with the F modifier to look through the whole forest.

C:\>setspn -q MSSQLSvc/mymachine:1433

No such SPN found.

C:\>setspn -q MSSQLSvc/mymachine.mydomain.com:1433
CN=MYMACHINE,OU=Workstations,DC=mydomain,DC=com
        MSSQLSvc/mymachine.mydomain.com:1433
        HOST/MYMACHINE
        HOST/MYMACHINE.MYDOMAIN.COM

Existing SPN found!

This is just another thing that will make Kerberos configuration/troubleshooting easier for users.

Adam W. Saxton | Microsoft SQL Server Escalation Services

Leave a Comment
  • Please add 8 and 7 and type the answer here:
  • Post
  • PingBack from http://blog.a-foton.ru/index.php/2009/02/13/searching-for-duplicate-spns-got-a-little-easier/

  • Не первый раз встречаюсь с тем, что настройка делегирования для связанных серверов (так в русском BOL

  • Ran setspn -X based on the event id 11 found on microsoft technet.

    this is what i got -

    ---------------------------------------------------------------------------------------------------------------------------------------------

    Microsoft Windows [Version 6.0.6001]

    Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

    C:\Users\Administrator>setspn -x

    Processing entry 1

    CAXOsoftEngine/MAIL.born2saw.local:25000 is registered on these accounts:

           CN=Administrator,CN=Users,DC=born2saw,DC=local

           CN=CABackup CABackup,OU=ITLCORP,OU=Users,OU=Born2saw,DC=born2saw,DC=local

    CAXOsoftEngine/SQL.born2saw.local:25000 is registered on these accounts:

           CN=Administrator,CN=Users,DC=born2saw,DC=local

           CN=CABackup CABackup,OU=ITLCORP,OU=Users,OU=Born2saw,DC=born2saw,DC=local

    CAXOsoftEngine/APPS.born2saw.local:25000 is registered on these accounts:

           CN=Administrator,CN=Users,DC=born2saw,DC=local

           CN=CABackup CABackup,OU=ITLCORP,OU=Users,OU=Born2saw,DC=born2saw,DC=local

    CAXOsoftEngine/SQL.born2saw.local:8088 is registered on these accounts:

           CN=Administrator,CN=Users,DC=born2saw,DC=local

           CN=CABackup CABackup,OU=ITLCORP,OU=Users,OU=Born2saw,DC=born2saw,DC=local

    From the above listed SPN,How can I find that ,which one has to be deleted ? any idea.

Page 1 of 1 (3 items)