Query or reset the computer’s SPN attribute
setspn
- C:\Windows\system32\setspn.exe /?
Output:
Usage: C:\Windows\system32\setspn.exe [modifiers switch] [accountname]
Where "accountname" can be the name or domain\name
of the target computer or user account
Edit Mode Switches:
-R = reset HOST ServicePrincipalName
Usage: setspn -R accountname
-S = add arbitrary SPN after verifying no duplicates exist
Usage: setspn -S SPN accountname
-D = delete arbitrary SPN
Usage: setspn -D SPN accountname
-L = list SPNs registered to target account
Usage: setspn [-L] accountname
Edit Mode Modifiers:
-C = specify that accountname is a computer account
-U = specify that accountname is a user account
Note: -C and -U are exclusive. If neither is specified, the tool
will interpret accountname as a computer name if such a computer
exists, and a user name if it does not.
Query Mode Switches:
-Q = query for existence of SPN
Usage: setspn -Q SPN
-X = search for duplicate SPNs
Usage: setspn -X
Note: searching for duplicates, especially forestwide, can take
a long period of time and a large amount of memory. -Q will execute
on each target domain/forest. -X will return duplicates that exist
across all targets. SPNs are not required to be unique across forests,
but duplicates can cause authentication issues when authenticating
cross-forest.
Query Mode Modifiers:
-P = suppresses progress to the console and can be used when redirecting
output to a file or when used in an unattended script. There will be no
output until the command is complete.
-F = perform queries at the forest, rather than domain level
-T = perform query on the speicified domain or forest (when -F is also used)
Usage: setspn -T domain (switches and other parameters)
"" or * can be used to indicate the current domain or forest.
Note: these modifiers can be used with the -S switch in order to specify
where the check for duplicates should be performed before adding the SPN.
Note: -T can be specified multiple times.
Examples:
setspn -R daserver1
It will register SPN "HOST/daserver1" and "HOST/{DNS of daserver1}"
setspn -S http/daserver daserver1
It will register SPN "http/daserver" for computer "daserver1"
if no such SPN exists in the domain
setspn -D http/daserver daserver1
It will delete SPN "http/daserver" for computer "daserver1"
setspn -F -S http/daserver daserver1
It will register SPN "http/daserver" for computer "daserver1"
if no such SPN exists in the forest
setspn -U -S http/daserver dauser
It will register SPN "http/daserver" for user account "dauser"
if no such SPN exists in the domain
setspn -T * -T bar -X
It will report all duplicate registration of SPNs in this domain and bar
setspn -T bar -F -Q */daserver
It will find all SPNs of the form */daserver registered in the forest to
which bar belongs
Return Code: 2
C:\Windows\system32\setspn.exe
c:\>ver
Microsoft Windows [Version 10.0.19045.2075]
| File | Info |
|---|---|
| File Size | 30720bytes |
| Creation Time | 2019/12/07 18:09:27 |
| LastWrite Time | 2019/12/07 18:09:27 |
| ProductVersion | 10.0.19041.1 |
| FileVersion | 10.0.19041.1 (WinBuild.160101.0800) |
| Hash | Value |
|---|---|
| MD5 | 9dec0f79d40fb78ba94e770e2d8d942b |
| SHA1 | 68a1857d6f40fd5f6cbc05d49896f71db556b16e |
| SHA224 | 4d096e217f2abd55ff26e23250ecd3d83f41be120c6e80eb23bb3e4d |
| SHA256 | 3ee597fa9b3333ab491807f48aec985c4429f975e0dabce2af0ccaa182628884 |
| SHA384 | 4521fc148b23beca34251d704097ddb90ac3c1d5faeac00f07a7de1f67f61172adec653fa761c9b8fc9817c4d3fb310d |
| SHA512 | 23871330177e9ef9b33cae1be74c9a4bfa57496f879880ef7b8502422d3ff9be6562659e1ecdbba984bc8b0355be10198f9c546d7b904d566cdd828802892af1 |