setspn

Query or reset the computer's SPN attribute

Query or reset the computer’s SPN attribute


setspn

  • C:\Windows\system32\setspn.exe /?

Output:

Usage: C:\Windows\system32\setspn.exe [modifiers switch] [accountname]
  Where "accountname" can be the name or domain\name
  of the target computer or user account

  Edit Mode Switches:
   -R = reset HOST ServicePrincipalName
    Usage:   setspn -R accountname
   -S = add arbitrary SPN after verifying no duplicates exist
    Usage:   setspn -S SPN accountname
   -D = delete arbitrary SPN
    Usage:   setspn -D SPN accountname
   -L = list SPNs registered to target account
    Usage:   setspn [-L] accountname  

  Edit Mode Modifiers:
   -C = specify that accountname is a computer account
   -U = specify that accountname is a user account
  
    Note: -C and -U are exclusive.  If neither is specified, the tool
     will interpret accountname as a computer name if such a computer
     exists, and a user name if it does not.

  Query Mode Switches:
   -Q = query for existence of SPN
    Usage:   setspn -Q SPN
   -X = search for duplicate SPNs
    Usage:   setspn -X

    Note: searching for duplicates, especially forestwide, can take
     a long period of time and a large amount of memory.  -Q will execute
     on each target domain/forest.  -X will return duplicates that exist
     across all targets. SPNs are not required to be unique across forests,
     but duplicates can cause authentication issues when authenticating
     cross-forest.

  Query Mode Modifiers:
   -P = suppresses progress to the console and can be used when redirecting
    output to a file or when used in an unattended script.  There will be no
    output until the command is complete.
   -F = perform queries at the forest, rather than domain level
   -T = perform query on the speicified domain or forest (when -F is also used)
    Usage:   setspn -T domain (switches and other parameters)
     "" or * can be used to indicate the current domain or forest.

    Note: these modifiers can be used with the -S switch in order to specify
     where the check for duplicates should be performed before adding the SPN.
    Note: -T can be specified multiple times.

Examples:
setspn -R daserver1
   It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"
setspn -S http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1"
    if no such SPN exists in the domain
setspn -D http/daserver daserver1
   It will delete SPN "http/daserver" for computer "daserver1"
setspn -F -S http/daserver daserver1
   It will register SPN "http/daserver" for computer "daserver1"
    if no such SPN exists in the forest
setspn -U -S http/daserver dauser
   It will register SPN "http/daserver" for user account "dauser"
    if no such SPN exists in the domain
setspn -T * -T bar -X
   It will report all duplicate registration of SPNs in this domain and bar
setspn -T bar -F -Q */daserver
   It will find all SPNs of the form */daserver registered in the forest to
    which bar belongs

Return Code: 2


C:\Windows\system32\setspn.exe
c:\>ver
Microsoft Windows [Version 10.0.19045.2075]
FileInfo
File Size30720bytes
Creation Time2019/12/07 18:09:27
LastWrite Time2019/12/07 18:09:27
ProductVersion10.0.19041.1
FileVersion10.0.19041.1 (WinBuild.160101.0800)
HashValue
MD59dec0f79d40fb78ba94e770e2d8d942b
SHA168a1857d6f40fd5f6cbc05d49896f71db556b16e
SHA2244d096e217f2abd55ff26e23250ecd3d83f41be120c6e80eb23bb3e4d
SHA2563ee597fa9b3333ab491807f48aec985c4429f975e0dabce2af0ccaa182628884
SHA3844521fc148b23beca34251d704097ddb90ac3c1d5faeac00f07a7de1f67f61172adec653fa761c9b8fc9817c4d3fb310d
SHA51223871330177e9ef9b33cae1be74c9a4bfa57496f879880ef7b8502422d3ff9be6562659e1ecdbba984bc8b0355be10198f9c546d7b904d566cdd828802892af1
Built with Hugo
Theme Stack designed by Jimmy