Windows

Service Principal Name: How to add, reset and delete SPNs

hero_activedirectory

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. Service principal names (SPNs) are records in an Active Directory (AD) database that show which services are registered to which accounts. In the Active Directory environment, they are installed on each of the domain controllers. The following guides discuss SPNs: FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x0000054B, unable to locate account, and how to deploy Microsoft BitLocker Administration and Monitoring Tool

Kerberos is an open-source binary protocol based on the ASN.1 format. The core of Kerberos is key distribution center (KDC) services, which use 88/TCP and 88/UDP ports.

– Setspn is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use setspn, you must run the setspn command from an elevated command prompt. See how to configure a service account for the Kerberos delegation.

Note: If the logon account of a service instance changes, the SPNs must be re-registered under the new account.
Note: If an account has an SPN or multiple SPNs, you can request a service ticket to one of these SPNs via Kerberos, and since a part of the service ticket will be encrypted with the key derived from the account’s password, you will be able to brute force this password offline. This is how Kerberoasting works. There is a way to perform the Kerberoasting attack without knowing SPNs of the target services. I’ll show how it could be done, how it works, and when it could be useful.

Note: SetSPN can be used with no switch, but then it doesn’t set an SPN, it displays them. This will display all SPNs that have been set on the service account.

HTTP is the service class. The Report Server Web service runs in HTTP.SYS. A by-product of creating an SPN for HTTP is that all Web applications on the same computer run in HTTP.SYS (including applications hosted in IIS) will be granted tickets based on the domain user account. If those services run under a different account, the authentication requests will fail. To avoid this problem, be sure to configure all HTTP applications to run under the same account, or consider creating host headers for each application and then creating separate SPNs for each host header. When you configure host headers, DNS changes are required regardless of the Reporting Services configuration.

The values that you specify for <computername> and <domainname> identify the unique network address of the computer that hosts the report server. This can be a local hostname or a fully qualified domain name (FQDN). If you only have one domain, you can omit <domainname> from your command line. <domain-user-account> is the user account under which the Report Server service runs and for which the SPN must be registered.

How to add or Register SPNs

To register an SPN manually we can use the Microsoft provided Setspn.exe utility. To be able to run this tool and register an SPN you need to be a domain admin or have the appropriate privileges. Other thing to note is that the -s option ensures that the SPN you are trying to create is not already defined.

Here are the most common switches used with SetSPN:
-a    Add an entry to an account (explicitly)
-s    Add an entry to an account (only after checking for duplicates first)
-d    Delete an entry from an account
-x    Search the domain for duplicate SPNs
-q    Query the domain for a specific SPN

To add an SPN, use the setspn -s service/name hostname command at a command prompt, where service/name is the SPN that you want to add and hostname is the actual hostname of the computer object that you want to update. To configure your SPN using your FQDN, please refer to the below syntax. Where the fully qualified domain name is mbamserv1.techdirectarchi.local, and the domain account used for the web application pool is techdirectarchi\MBAM-IISAP-SVC.

setspn.exe -S http/MBAM.yourdomain.suffix YourDomain\MBAM-IISAP-SVC

Note: If you do not have administrative rights to create SPNs, you must ask the Active Directory administrators in their Organisation Administrators in your organization to create the SPN for you by using the following command. To set this for your NetBIOS hostname, use the command below.
Service Principal Names (SPNs) are not case sensitive when used by Microsoft Windows-based computers. However, an SPN can be used by any type of computer system. Many of these computer systems, especially UNIX-based systems, are case-sensitive and require the proper case to function properly. Care should be taken to use the proper case particularly when an SPN can be used by a non-Windows-based computer

setspn.exe -S http/mbamserv1 techdirectarchi\MBAM-IISAP-SVC
Screenshot-2021-03-17-at-22.15.04

The table below shows the various ways you can register an SPN in your environment.

What you need to doExamples and more information
Register an SPN for the NetBIOS host name.Setspn -s http/nbname01 contoso\mbamapppooluserThe NetBIOS host name is nbname01, and the domain account used for the web application pool is contoso\mbamapppooluser.
Register an SPN for the fully qualified domain name.Setspn –s http/nbname01.corp.contoso.com contoso\mbamapppooluserThe fully qualified domain name is nbname01.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser.

How to view SPNs

To view a list of the SPNs that a computer has registered with Active Directory from a command prompt, use the setspn –l hostname command, where hostname is the actual hostname of the computer object that you want to query. To see the list SPNs registered to target accounts for the specific server, please run the following where mbamserv1 is the name of my server. Please substitute this in your case.

SETSPN -L mbamserv1
Screenshot 2021 03 16 at 21.14.05
Screenshot 2021 03 16 at 21.14.05

When you should modify an SPN

It is not usually necessary to modify SPNs. Most times, they are set up by a computer when it joins a domain and when services are installed on the computer. In some cases, however, this information can become stale. For instance, if the computer name is changed, the SPNs registered for the installed services must be changed to match the new computer name. Also, some services and applications may require manual modification of a service account’s SPN information to authenticate correctly.

Note: If the logon account of a service instance changes, the SPNs must be re-registered under the new account.

Reset an SPN

If the SPNs that you see for your server display what seems to be incorrect names; consider resetting the computer to use the default SPNs. To reset the default SPN values, use the setspn -r hostname command at a command prompt, where hostname is the actual host name of the computer object that you want to update.

setspn -r mbamserv1
Screenshot-2021-09-02-at-20.08.14

Delete an SPN

To remove an SPN, use the setspn -d service/name hostname command at a command prompt, where service/name is the SPN that is to be removed and hostname is the actual host name of the computer object that you want to update. Below is how you would want to delete an SPN.

setspn -d http/mbamserv1 techdirectarchi\MBAM-IISAP-SVC
Screenshot-2021-09-02-at-19.36.48

SPN Edit Mode Parameters

Edit Mode ParametersDescription
<Computer>Specifies the desired Active Directory account object for which to configure the Service Principal Names (SPN). Normally, this is the NetBIOS name of the computer and optionally the domain that contains the computer account. However, any desired Active Directory object name can be used.
-l Lists the currently registered SPN for computer.Usage: setspn –l accountname
-rResets the default SPN registrations for the host names for Computer.Usage: setspn –r accountnameFor example, to register SPN “HOST/daserver1” and “HOST/{DNS of daserver1}”:setspn -R daserver1
-d <SPN>Deletes the specified SPN for the Computer.Usage: setspn –d SPN accountnameFor example, to delete SPN “http/daserver” for computer “daserver1”:setspn -D http/daserver daserver1
-s <SPN>Adds the specified SPN for the computer, after verifying that no duplicates exist.Usage: setspn –s SPN accountnameFor example, to register SPN “http/daserver” for computer “daserver1”:setspn -S http/daserver daserver1
-?Displays help at the command prompt. This parameter is the default: if you run setspn run without this parameter displays the SPN command-line usage.

SPN Mode modifiers

Edit Mode modifiersDescription
-CSpecify that accountname is a computer account.
-USpecify that accountname is a user account.For example, to register SPN “http/daserver” for user account “dauser”:setspn -U -S http/daserver dauser

Note: Setspn also has an –A that you can use to add SPNs, but you should use Setspn -S instead because -S will verify that there are no duplicate SPNs. However, if you are using Windows Server 2003 or earlier, you will not be able to use the -S switch because it is not available for that platform. In the case where you cannot use -S, then you should manually verify that there are no duplicate SPNs by first running Setspn -L.

SPN Format (Other Scenario)

The format of an SPN is serviceclass/host:port/servicename, in which each item represents a name or value. Unless the service name and port are not standard, you do not have to enter them when you use setspn. For example, the default SPNs for a server named RDS01 that is providing remote desktop (RDP) services over the default port (TCP 3389) register the following two SPNs in its own Active Directory computer object.

Netbios format:         TERMSRV/RDS01
FQDN format:            TERMSRV/RDS01.techdirectarchive.com

To add this record, we will be following the same format as specified above.

setspn.exe -S TERMSRV/RDS01 
setspn.exe -S TERMSRV/RDS01.techdirectarchive.com

Create an alias name for a server

To add this record, we will be following the same format as specified above. Create a CNAME record (not a normal Host(A) record.) in DNS.

Set the DisableStrictNameChecking key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
DisableStrictNameChecking Data type: REG_DWORD
Set Value: 1

On the server create SPN’s for the flat name and the fully qualified name of the cname alias:

setspn -S host/your_ALIAS_name ServerName
setspn -S host/your_ALIAS_name.domain.com ServerName

Then reboot the Host

Summary: SetSPN is free, and it is already installed on your Windows PC or Server. You can run SetSPN from member servers or workstations. It can be used to add Service Principal Names to an AD account, as well as delete them and search for duplicate SPNs that are in the domain.

Duplicate SPNs will cause Kerberos to fail and fall back to NTLM, run setspn -x periodically to check for this.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x