Windows

Service Principal Name: How to add, reset and delete SPNs

hero_activedirectory

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. Service principal names (SPNs) are records in an Active Directory (AD) database that show which services are registered to which accounts. In the Active Directory environment, they are installed on each of the domain controllers. The following guides discuss SPNs: FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x0000054B, unable to locate account, and how to deploy Microsoft BitLocker Administration and Monitoring Tool

Kerberos is an open-source binary protocol based on the ASN.1 format. The core of Kerberos is key distribution center (KDC) services, which use 88/TCP and 88/UDP ports. 

- Setspn is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use setspn, you must run the setspn command from an elevated command prompt. See how to configure a service account for Kerberos delegation.

Note: If the logon account of a service instance changes, the SPNs must be re-registered under the new account.
Note: If an account has an SPN or multiple SPNs, you can request a service ticket to one of these SPNs via Kerberos, and since a part of the service ticket will be encrypted with the key derived from the account’s password, you will be able to brute force this password offline. This is how Kerberoasting works. There is a way to perform the Kerberoasting attack without knowing SPNs of the target services. I’ll show how it could be done, how it works, and when it could be useful.

How to add (register) SPNs

To add an SPN, use the setspn -s service/name hostname command at a command prompt, where service/name is the SPN that you want to add and hostname is the actual host name of the computer object that you want to update. To configure your SPN using your FQDN, please refer to the below syntax. Where the fully qualified domain name is mbamserv1.techdirectarchi.local, and the domain account used for the web application pool is techdirectarchi\MBAM-IISAP-SVC.

setspn.exe -S http/MBAM.yourdomain.suffix YourDomain\MBAM-IISAP-SVC

Note: If you do not have administrative rights to create SPNs, you must ask the Active Directory administrators in their Organisation Administrators in your organization to create the SPN for you by using the following command. To set this for your NetBIOS hostname, use the command below.
Service Principal Names (SPNs) are not case sensitive when used by Microsoft Windows-based computers. However, an SPN can be used by any type of computer system. Many of these computer systems, especially UNIX-based systems, are case-sensitive and require the proper case to function properly. Care should be taken to use the proper case particularly when an SPN can be used by a non-Windows-based computer

setspn.exe -S http/mbamserv1 techdirectarchi\MBAM-IISAP-SVC
Screenshot-2021-03-17-at-22.15.04

The table below shows the various ways you can register an SPN in your environment.

What you need to doExamples and more information
Register an SPN for the NetBIOS host name.Setspn -s http/nbname01 contoso\mbamapppooluserThe NetBIOS host name is nbname01, and the domain account used for the web application pool is contoso\mbamapppooluser.
Register an SPN for the fully qualified domain name.Setspn –s http/nbname01.corp.contoso.com contoso\mbamapppooluserThe fully qualified domain name is nbname01.contoso.com, and the domain account used for the web application pool is contoso\mbamapppooluser.

How to view SPNs

To view a list of the SPNs that a computer has registered with Active Directory from a command prompt, use the setspn –l hostname command, where hostname is the actual host name of the computer object that you want to query. To see the list SPNs registered to target accounts for the specific server, please run the following where mbamserv1 is the name of my server. Please substitute this in your case.

SETSPN -L mbamserv1
Screenshot 2021 03 16 at 21.14.05
Screenshot 2021 03 16 at 21.14.05

When you should modify an SPN

It is not usually necessary to modify SPNs. Most times, they are set up by a computer when it joins a domain and when services are installed on the computer. In some cases, however, this information can become stale. For instance, if the computer name is changed, the SPNs registered for the installed services must be changed to match the new computer name. Also, some services and applications may require manual modification of a service account’s SPN information to authenticate correctly.

Note: If the logon account of a service instance changes, the SPNs must be re-registered under the new account.

Reset an SPN

If the SPNs that you see for your server display what seems to be incorrect names; consider resetting the computer to use the default SPNs. To reset the default SPN values, use the setspn -r hostname command at a command prompt, where hostname is the actual host name of the computer object that you want to update.

setspn -r mbamserv1
Screenshot-2021-09-02-at-20.08.14

Delete an SPN

To remove an SPN, use the setspn -d service/name hostname command at a command prompt, where service/name is the SPN that is to be removed and hostname is the actual host name of the computer object that you want to update. Below is how you would want to delete an SPN.

setspn -d http/mbamserv1 techdirectarchi\MBAM-IISAP-SVC
Screenshot-2021-09-02-at-19.36.48

SPN Edit Mode Parameters

Edit Mode ParametersDescription
<Computer>Specifies the desired Active Directory account object for which to configure the Service Principal Names (SPN). Normally, this is the NetBIOS name of the computer and optionally the domain that contains the computer account. However, any desired Active Directory object name can be used.
-l Lists the currently registered SPN for computer.Usage: setspn –l accountname
-rResets the default SPN registrations for the host names for Computer.Usage: setspn –r accountnameFor example, to register SPN “HOST/daserver1” and “HOST/{DNS of daserver1}”:setspn -R daserver1
-d <SPN>Deletes the specified SPN for the Computer.Usage: setspn –d SPN accountnameFor example, to delete SPN “http/daserver” for computer “daserver1”:setspn -D http/daserver daserver1
-s <SPN>Adds the specified SPN for the computer, after verifying that no duplicates exist.Usage: setspn –s SPN accountnameFor example, to register SPN “http/daserver” for computer “daserver1”:setspn -S http/daserver daserver1
-?Displays help at the command prompt. This parameter is the default: if you run setspn run without this parameter displays the SPN command-line usage.

SPN Mode modifiers

Edit Mode modifiersDescription
-CSpecify that accountname is a computer account.
-USpecify that accountname is a user account.For example, to register SPN “http/daserver” for user account “dauser”:setspn -U -S http/daserver dauser

Note: Setspn also has an –A that you can use to add SPNs, but you should use Setspn -S instead because -S will verify that there are no duplicate SPNs. However, if you are using Windows Server 2003 or earlier, you will not be able to use the -S switch because it is not available for that platform. In the case where you cannot use -S, then you should manually verify that there are no duplicate SPNs by first running Setspn -L.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
Kindly subscribe to TechDirectArchive
This is default text for notification bar