If you have followed my posts, or caught my sessions at PASS, you may have figured out that Kerberos is one of my strength areas. I recently setup a Windows 2012 server to just see how SharePoint Integration with Reporting Services would work out.
As I was doing that, I knew I would need the HTTP SPN configured for my SharePoint server. As I created the SPN, I saw something very interesting.
The “Checking domain” piece made me assume that this was actually seeing if the SPN existed. Basically checking to make sure this wouldn’t be a duplicate. Then I decided to validate that assumption.
I have a bogus SPN sitting on my Claims Service account to allow me to setup delegation. I’m going to use that for the test. it is just “my/spn”
So, lets try adding that to another account.
I also found this documentation on TechNet discussing what is new with Kerberos in Windows 2012.
What's New in Kerberos Authentication (Windows 2012/Windows 8)
Of note, this functionality actually existed within the Windows 2008/R2 SetSPN as the –S switch. With the Windows 2012 version, –A just behaves the same as –S now. Which is good.
Adam W. Saxton | Microsoft Escalation Services