How to Create a Service Principle Name (SPN)

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. The Kerberos authentication service can use an SPN to authenticate a service. When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

To create an SPN for a domain account, run the Setspn tool from a command prompt as below
setspn -A HTTP/webservername domain\customAccountName 
setspn -A HTTP/webservername.fullyqualifieddomainname domain\customAccountName 

The setspn tool creates an SPN for the custom domain account (domain\customAccountName) and associates the account with the HTTP service on the specified Web server. By running the command twice as shown above you can associate the account with the NetBIOS server name and the fully qualified domain name of the server. This ensures that the SPN is established correctly even if your environment does not consistently use fully qualified domain names.

Additional Resources

Last edited Jun 13, 2008 at 6:36 PM by prashantbansode, version 1


No comments yet.