Service Principal Name (SPN) Register and De-register in AD

Description:

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name. 

Cause or Reason:

Before the Kerberos authentication service uses an SPN to authenticate a service, the SPN must be registered on the account object that the service instance uses to log on.

Resolution:

(1) To create /register an SPN for the FQDN of the SQL Server use the following command:

setspn -A MSSQLSvc/SQL_Server_FQDN:1433  Domain\Account

For example:

  

setspn -A MSSQLSvc/HOSTNAME.domain.com:1433 Domain\service-account

(2) To create /register SPN for web application (IIS, Sharepoint etc.) use the below commands:

 setspn -S HTTP/webappurl.domain.com   Domain\service-account

(3) To verify the SNP use the following command:

setspn –L  domain\SQL Service Account

For example:

setspn –L Domain\service-account 

(4) To delete /de-register SNP for the FQDN of the SQL Server use the following command: 

setspn -D MSSQLSvc/SQL_Server_FQDN:1433 Domain\Account

(5) Alternatively, these tasks can be performed through ADSIEDIT. Connect to default naming context, navigate through the service account, select attribute servicePrincipalName and click Edit. Be very careful as ADSIEDIT is low level editor and could impact the environment if not handled properly.

(6) Now we can add or remove the SPN associated with the service account.