In this article, we shall discuss the steps resolving “Service Principal Name: How to add or reset and delete SPNs”. A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. For example, to enable the MBAM server to authenticate communication from the Administration and Monitoring Website and the Self-Service Portal. Please, see “MBAM components: How to deploy Microsoft BitLocker Administration and Monitoring Tool, and how to fix a vulnerable Trusted Platform Module [TPM]“.

You must register a Service Principal Name (SPN) for the hostname or FQDN under the domain account that you are using for the web application pool “in my case MBAM-IISAP-SVC”. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

Service Principal Names (SPNs) are recorded in an Active Directory (AD) database that shows which services are registered to which accounts. In the Active Directory environment, they are installed on each of the domain controllers.

The following guides discuss SPNs: FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x0000054B, unable to locate account, and How to configure a service account for Kerberos delegation.

What is Kerberos?

Kerberos is an open-source binary protocol based on the ASN.1 format. The core of Kerberos is key distribution center (KDC) services, which use 88/TCP and 88/UDP ports. To learn about the various types of Kerberos delegations. Kindly refer to this guide: All that you need to know about the Kerberos delegation.

Setspn is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use setspn, you must run the setspn command from an elevated command prompt. See how to configure a service account for the Kerberos delegation.

Note: If the logon account of a service instance changes, the SPNs must be re-registered under the new account.

Kerberoasting Attack: Exploiting SPNs and Offline Password Cracking

Note: Requesting a service ticket to an SPN via Kerberos allows accessing encrypted parts using the account’s password for offline brute forcing. This is how Kerberoasting works. Furthermore, There is a way to perform the Kerberoasting attack without knowing the SPNs of the target services. I’ll show how it could be done, how it works, and when it could be useful.

Note: SetSPN can be used with no switch, but then it doesn’t set an SPN, it displays them. This will display all SPNs that have been set on the service account.

HTTP is the service class. However, The Report Server Web service runs in HTTP.SYS. Creating an SPN for HTTP grants tickets to domain user accounts for all Web apps on the same computer running in HTTP.SYS (including IIS-hosted apps).

The authentication requests will fail if those services run under a different account. To avoid this problem, be sure to configure all HTTP applications to run under the same account, or consider creating host headers for each application and then creating separate SPNs for each host header. Configure host headers, requiring DNS changes, regardless of Reporting Services configuration.

The values you specify for <computername> and <domainname> identify the unique network address of the computer hosting the report server.

This can be a local hostname or a fully qualified domain name (FQDN). You can omit <domainname> from your command line if you only have one domain. <domain-user-account> is the account under which the Report Server service runs and the SPN must be registered.

How to add or Register SPNs

To register an SPN manually, we can use the Microsoft-provided Setspn.exe utility. To be able to run this tool and register an SPN, you need to be a domain admin or have the appropriate privileges. Note that the -s option prevents existing SPN definitions when creating. Check common SetSPN switches.

-a    Add an entry to an account (explicitly)
-s    Add an entry to an account (only after checking for duplicates first)
-d    Delete an entry from an account
-x    Search the domain for duplicate SPNs
-q    Query the domain for a specific SPN

To add an SPN, use the setspn -s service/name hostname command at a command prompt, where service/name is the SPN that you want to add, and hostname is the actual hostname of the computer object that you want to update.

To configure your SPN using your FQDN, please refer to the below syntax. The fully qualified domain name is mbamserv1.techdirectarchi.local, and the domain account used for the web application pool is techdirectarchi\MBAM-IISAP-SVC.

setspn.exe -S http/MBAM.yourdomain.suffix YourDomain\MBAM-IISAP-SVC

Note: If you do not have administrative rights to create SPNs, you must ask the Active Directory administrators in their Organisation Administrators in your organization to create the SPN for you by using the following command. To set this for your NetBIOS hostname, use the command below.

Case sensitivity of SPNs across different systems

Service Principal Names (SPNs) are not case-sensitive when used by Microsoft Windows-based computers. However, an SPN can be used by any computer system.

Many of these computer systems, especially UNIX-based systems, are case-sensitive and require the proper case to function properly. Care should be taken to use the proper case particularly when a non-Windows-based computer can use an SPN.

setspn.exe -S http/mbamserv1 techdirectarchi\MBAM-IISAP-SVC

The table below shows the various ways you can register an SPN in your environment.

What you need to do	Examples and more information
Register an SPN for the NetBIOS host name.	`Setspn -s http/nbname01` contoso`\`mbamapppooluserThe NetBIOS host name is nbname01, and the domain account used for the web application pool is contoso\mbamapppooluser.
Register an SPN for the fully qualified domain name.	`Setspn –s http/nbname01.corp.contoso.com` contoso`\`mbamapppooluserThe fully qualified domain name is nbname01.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser.

Adding an entry to an account (explicitly) using the -A switch

Below is the error I encountered when installing Trellix ePO. Please, see common Trellix ePolicy Orchestrator Errors that you might encounter during Installation, how to upgrade Trellix ePolicy Orchestrator, and Trellix ePolicy Orchestrator Installation on Windows Server.

The SQL Server Network Interface library could not register the Service Principal Name (SPN) [ MSSQLSvc/xxx.xx.xxx.de:1434 ] for the SQL Server service. Windows return code: 0x200b, state: 15. Failure to register a SPN might cause integrated authentication to use NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies and if the SPN has not been manually registered.

To resolve this error, I explicitly create an SPN for the SQL Service Account using the command below. You can take look at this guide for more information: How to fix MSIEXEC returned 1602: Trellix Setup cannot use this account

setspn -A MSSQLSvc/yourserver.domain.com:1433 DOMAIN\SQLServiceAccount

How to view SPNs

To view a list of the SPNs that a computer has registered with Active Directory from a command prompt, use the setspn –l hostname command, where hostname is the actual hostname of the computer object that you want to query.

To see the list SPNs registered to target accounts for the specific server, please run the following where mbamserv1 is the name of my server. Please substitute this in your case.

SETSPN -L mbamserv1

Active Directory authentication — Screenshot 2021 03 16 at 21.14.05

When you should modify an SPN

It is not usually necessary to modify SPNs. Most times, they are set up by a computer when it joins a domain and when services are installed on the computer. In some cases, however, this information can become stale.

For instance, if the computer name is changed, the SPNs registered for the installed services must be changed to match the new computer name. Also, some services and applications may require manual modification of a service account’s SPN information to authenticate correctly.

Note: If the logon account of a service instance changes, the SPNs must be re-registered under the new account.

Please, see how to update the BIOS on your Dell system, and “BitLocker Protection off: Update UEFI/BIOS to fix issues“, Also, see download and install Fujitsu DeskUpdate & DeskUpdate Manager, and how to check the BIOS version on Windows.

Reset an SPN

If the SPNs that you see for your server display what seems to be incorrect names; consider resetting the computer to use the default SPNs.

To reset the default SPN values, use the setspn -r hostname command at a command prompt, where hostname is the actual host name of the computer object that you want to update.

setspn -r mbamserv1

Delete an SPN

To remove an SPN, use the setspn -d service/name hostname command at a command prompt, where service/name is the SPN that is to be removed and hostname is the actual host name of the computer object that you want to update. Below is how you would want to delete an SPN.

setspn -d http/mbamserv1 techdirectarchi\MBAM-IISAP-SVC

SPN Edit Mode Parameters

Edit Mode Parameters	Description
<Computer>	Specifies the desired Active Directory account object for which to configure the Service Principal Names (SPN). Normally, this is the NetBIOS name of the computer and optionally the domain that contains the computer account. However, any desired Active Directory object name can be used.
-l	Lists the currently registered SPN for computer.Usage: setspn –l accountname
-r	Resets the default SPN registrations for the host names for Computer.Usage: setspn –r accountnameFor example, to register SPN “HOST/daserver1” and “HOST/{DNS of daserver1}”:setspn -R daserver1
-d <SPN>	Deletes the specified SPN for the Computer.Usage: setspn –d SPN accountnameFor example, to delete SPN “http/daserver” for computer “daserver1”:setspn -D http/daserver daserver1
-s <SPN>	Adds the specified SPN for the computer, after verifying that no duplicates exist.Usage: setspn –s SPN accountnameFor example, to register SPN “http/daserver” for computer “daserver1”:setspn -S http/daserver daserver1
-?	Displays help at the command prompt. This parameter is the default: if you run setspn run without this parameter displays the SPN command-line usage.

SPN Mode modifiers

Edit Mode modifiers	Description
-C	Specify that accountname is a computer account.
-U	Specify that accountname is a user account.For example, to register SPN “http/daserver” for user account “dauser”:setspn -U -S http/daserver dauser

Note: Setspn also has an –A that you can use to add SPNs, but you should use Setspn -S instead because -S will verify that there are no duplicate SPNs.

However, if you are using Windows Server 2003 or earlier, you will not be able to use the -S switch because it is not available for that platform. In the case where you cannot use -S, then you should manually verify that there are no duplicate SPNs by first running Setspn -L.

SPN Format (Other Scenario)

The format of an SPN is serviceclass/host:port/servicename, in which each item represents a name or value. Unless the service name and port are not standard, you do not have to enter them when you use setspn.

For example, the default SPNs for a server named RDS01 that is providing remote desktop (RDP) services over the default port (TCP 3389) register the following two SPNs in its own Active Directory computer object.

Netbios format:         TERMSRV/RDS01
FQDN format:            TERMSRV/RDS01.techdirectarchive.com

To add this record, we will be following the same format as specified above.

setspn.exe -S TERMSRV/RDS01 
setspn.exe -S TERMSRV/RDS01.techdirectarchive.com

Create an alias name for a server

To add this record, we will be following the same format as specified above. Create a CNAME record (not a normal Host(A) record.) in DNS.

Set the DisableStrictNameChecking key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
DisableStrictNameChecking Data type: REG_DWORD
Set Value: 1

On the server create SPN’s for the flat name and the fully qualified name of the cname alias:

setspn -S host/your_ALIAS_name ServerName
setspn -S host/your_ALIAS_name.domain.com ServerName

Then reboot the Host

Summary

SetSPN is free, and it is already installed on your Windows PC or Server. You can run SetSPN from member servers or workstations. It can be used to add Service Principal Names to an AD account, as well as delete them and search for duplicate SPNs that are in the domain.

Duplicate SPNs will cause Kerberos to fail and fall back to NTLM, run setspn -x periodically to check for this.

I hope you found this blog post on “Service Principal Name: How to add or reset and delete SPNs” helpful. If you have any questions, please let me know in the comment session.

5/5 - (1 vote)

Comments (2) on “Service Principal Name: How to add or reset and delete SPNs”

Ted says:

24/10/2023 at 4:09 PM

Thanks Christian, this is really helpful information.

Log in to Reply
1. Christian says:
  
  25/10/2023 at 6:59 PM
  
  You are welcome, Ted!
  
  Log in to Reply