New features in SETSPN.EXE on Windows Server 2008

Saurabh Singh — Fri, 09 Jan 2009 03:05:00 GMT

The version of Setspn.exe that came with Microsoft Windows Server 2000/2003 Support Tools did not have features to detect duplicate SPNs. The new version of Setspn.exe that comes bundled with Windows Server 2008 utilities has some really cool features. For someone dealing with the dreaded Kerberos authentication failure issues on a daily basis like me it's a sigh of relief.

If you try the following command on the Windows Server 2008 you will see the various new options (or switches) available.

Notice the modifiers/switches:

-F = perform the duplicate checking on forestwide level

-S = add arbitrary SPN after verifying no duplicates exist

-Q = query for existence of SPN

-X = search for duplicate SPNs

Searching for duplicate SPNs using Setspn.exe:

D:\>setspn -X http/www.test.com
Processing entry 0
http/www.test.com is registered on these accounts:
    CN=mstest,CN=Users,DC=<some-DC-primary>,DC=<some-DC-secondary>
    CN=<IIS-servername>,OU=Domain Controllers,DC=<some-DC-primary>,DC=<some-DC-secondary> 

found 1 group of duplicate SPNs.

Searching for the existence of an SPN in the domain:

D:\>setspn -Q http/www.test.com
CN=<IIS-servername>,OU=Domain Controllers,DC=<some-DC-primary>,DC=<some-DC-secondary>
    http/www.test.com
    ldap/2334590-45566-113f....
    HOST/<IIS-servername>
    HOST/<IIS-servername.<some-DC-primary>.<some-DC-secondary>
    .......
    .......
CN=mstest,CN=Users,DC=<some-DC-primary>,DC=<some-DC-secondary>
    http/www.test.com 

Existing SPN found!

Adding an arbitrary SPN after verifying no duplicates exist in the domain:

D:\>setspn -S http/www.test.com <IIS-servername>
CN=mstest,CN=Users,.<some-DC-primary>.<some-DC-secondary>
    http/www.test.com 

Duplicate SPN found, aborting operation!

Adding an arbitrary SPN after verifying no duplicates exist in the forest:

D:\>setspn -F -S http/www.test.com <IIS-servername>
Operation will be performed forestwide, it might take a while.
CN=mstest,CN=Users,DC=<some-DC-primary>,DC=<some-DC-secondary>
    http/www.test.com
CN=mstest1,CN=Users,DC=<some-DC-primary>,DC=<some-DC-secondary>
    http/www.test.com 

Duplicate SPN found, aborting operation!

So what does this mean? It means you no longer have to depend upon boggling commands using LDIFDE or your own custom scripts to find out the duplicate SPNs. This is a good news indeed!

*Prior to this using Windows Server 2000/2003 Support Tools we could use commands using LDIFDE to find duplicate SPNs as below:

Syntax:

ldifde -f <filename> -d "<dc=domain-netbiosname,dc=primary-domain>" -l serviceprincipalname -r "(serviceprincipalname=<serviceprincipalname-to-check-for-duplicates>)" -p subtree

For example, if the domain name is test.abcd.com and the site URL is http//test.abcd.com command should be as shown below:

ldifde –f C:\log.txt -d "dc=test, dc=abcd, dc=com"-l serviceprincipalname –r "(serviceprinicpalname=http/test.abcd.com)" -p subtree

With the newer version of Setspn hopefully the dependency on the above command should reduce drastically.

Till next time,

Cheers!

Care, Share and Grow! : Setspn

New features in SETSPN.EXE on Windows Server 2008