A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.. Setspn is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To learn about the various types of Kerberos delegations, kindly refer to this guide: All that you need to know about the Kerberos delegation.
setspn, you must run the
setspn command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator. Kindly refer to the following related contents: Event ID 5059: Application pool has been disabled or Changing identity user for IIS Application Pool, how to install Pleasant Password Server, how to perform redirection from HTTP to HTTPS, how to create a self-signed certificate using PowerShell and how to configure SSL between WSUS upstream and downstream servers, and how to set up and configure Windows server update services (WSUS).
The following error could be a result of many other issues. In my case, I had no permission issue, and the environment and service accounts were all available and correctly configured to run the SPN command, yet it failed with the following error “FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x0000054B. Unable to locate account MBAM-IISAP-SVC”
Note: If you do not have administrative rights to create SPNs, you must ask the Domain administrators in their Organisation Administrators in your organisation to create the SPN for you by using the following command. To set this for your NetBIOS hostname, use the command below.
Please review the SPN command you are using to set (register) the Service Principal Name (SPN) for the hostname or FQDN under the domain account. As you can see in the image above, I had an error in the account name. I was using “techdirectarchive\MBAM-IISAP-SVC” instead of “techdirectarchi\MBAM-IISAP-SVC”. This can be very difficult to spot if you have used to a specific domain account name. Upon noticing this, I ran the command again and it was successful.
setspn.exe -S http/mbamserv1 techdirectarchi\MBAM-IISAP-SVC
This will enable the MBAM server to authenticate communication from the Administration and Monitoring Website and the Self-Service Portal. You must register a Service Principal Name (SPN) for the hostname or FQDN under the domain account that you are using for the web application pool “in my case
To see the list SPNs registered to target accounts for the specific server, please run the following.
SETSPN -L mbamserv1
Note: If the logon account of a service instance changes, the SPNs must be re-registered under the new account.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.