AD DS: An account or accounts trust(s) this unregistered SPN for delegation

  • Article

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

Operating System

Windows Server 2008 R2

Windows Server 2012

Product/Feature

Active Directory Domain Services (AD DS)

Severity

Warning

Category

Configuration

Issue

An account in this domain trusts a service principal name (SPN) for delegation, but the SPN is not registered to an account.

When an account trusts an unregistered SPN for delegation, the service that uses that account can fail.

Another possibility is that a service has been decommissioned but the SPN for that service has not been removed from Active Directory.

Impact

If there is no SPN registered for the trusted service, this service will not be able to impersonate the client to make connections to other services.

Resolution

Register the SPN to the appropriate account using Setspn.exe. Test the application to ensure that delegation works correctly.

SPNs are set up by a computer when it joins a domain and when services are installed on the computer. As an alternative, you can use Setspn.exe to list, add, or delete SPNs for an account. You can run setspn –S to verify that the SPN you are adding is not a duplicate. Remove an SPN if the service is no longer being used,

For information about delegating the permissions to modify SPNs, see the “Delegating Authority to Modify SPNs” section in Setspn (https://go.microsoft.com/fwlink/?LinkID=143939).

To list SPNs for an account

  1. Log on to an administrative workstation that has Active Directory Domain Services Tools installed, and then open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Use the following syntax for the setspn /L command:

    setspn /L <account>

    For example, to list all SPNs on a computer named server1, at a command prompt, type the following command, and then press ENTER:

    setspn /L server1

    To list all SPNs for a user account named sqlservice, at a command prompt, type the following command, and then press ENTER:

    setspn /L sqlservice

To add an SPN after checking for duplicates

  1. Log on to an administrative workstation that has Active Directory Domain Services Tools installed, and then open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Use the following syntax for the setspn –S command:

    setspn [/T <domain> or *] [/F] /S <spn> <computer>

    The /T and /F parameters are optional query-mode modifiers to limit the scope of the search for duplicates to the domain or forest, respectively.

    For example, to add an SPN named MSSQLSVC/server1 to a computer named server1 after checking the current domain for duplicates, at a command prompt, type the following command, and then press ENTER:

    setspn /T * /S MSSQLSVC/server1 server1

    To add an SPN named MSSQLSVC/server1 to a computer named server1 after checking the forest for duplicates, at a command prompt, type the following command, and then press ENTER:

    setspn /F /S MSSQLSVC/server1 server1

To delete an SPN for an account

  1. Log on to an administrative workstation that has Active Directory Domain Services Tools installed, and then open an elevated command prompt. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Use the following syntax for the setspn /D command:

    setspn /D <spn> <computer>

    For example, to delete an SPN named MSSQLSVC/server1 from an account named sqlservice, at a command prompt, type the following command, and then press ENTER:

    setspn /D MSSQLSVC/server1 sqlservice

To remove a decommissioned SPN for an account

  1. Log on to an administrative workstation that has Active Directory Domain Services Tools installed. Active Directory Domain Services Tools are installed by default on domain controllers and they are also included with the Remote Server Administration Tools. For more information about how to obtain Remote Server Administration Tools, see Additional references.

  2. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  3. Expand the domain container, click Computers, or browse to the account that trusts the unregistered SPN for delegation and right-click the name of the host computer and then click Properties.

  4. Click Delegation, and in Services to which this account can present delegated credentials, select the decommissioned SPN.

  5. Click Remove, click Apply, and then OK.

  6. Close Active Directory Users and Computers.

Additional references

Setspn (https://go.microsoft.com/fwlink/?LinkID=143939)