|
| 1 | +--- |
| 2 | +title: Setspn |
| 3 | +description: The setspn command reads, modifies, and deletes the Service Principal Names (SPN) directory property for an Active Directory service account. |
| 4 | +ms.topic: reference |
| 5 | +ms.author: alalve |
| 6 | +author: xelu86 |
| 7 | +ms.date: 03/24/2025 |
| 8 | +ms:assetid: 9341c753-11ff-4acc-993c-b05d50f32330 |
| 9 | +--- |
| 10 | + |
| 11 | +# setspn |
| 12 | + |
| 13 | +The `setspn` command line utility reads, modifies, and deletes the Service Principal Names (SPN) directory property for an Active Directory (AD) service account. You use SPNs to locate a target principal name for running a service. You can use `setspn` to view the current SPNs, reset the account's default SPNs, and add or delete supplemental SPNs. `Setspn` is available if you have the Active Directory Domain Services (AD DS) server role installed. `Setspn` must be ran through an elevated command prompt. |
| 14 | + |
| 15 | +## Syntax |
| 16 | + |
| 17 | +``` |
| 18 | +setspn <modifiers switch> <accountname> [-R] [-S] [-D] [-L] [-C] [-U] [-Q] [-X] [-P] [-F] [-T] [-?] [/?] |
| 19 | +``` |
| 20 | + |
| 21 | +> [!NOTE] |
| 22 | +> The \<accountname> can be the computer name or domain\\name of the target computer or a user account. You can run `setspn -A` to add SPNs, but you should use `setspn -S` instead because it verifies that there are no duplicate SPNs. |
| 23 | +
|
| 24 | +## Parameters |
| 25 | + |
| 26 | +| Parameters | Description | |
| 27 | +|--|--| |
| 28 | +| `<accountname>` | Specifies the desired AD account object for which to configure the SPN. Normally, the SPN is the NetBIOS name of the computer and optionally the domain that contains the computer account. However, any desired AD object name can be used. | |
| 29 | +| `-R` | Resets the default SPN registrations for the host names for the computer. | |
| 30 | +| `-S` | Adds the specified SPN for the computer, after verifying that no duplicates exist. | |
| 31 | +| `-D` | Deletes the specified SPN for the computer. | |
| 32 | +| `-L` | Lists the currently registered SPN for the computer. | |
| 33 | +| `-C` | Specifies that `accountname` is a computer account. | |
| 34 | +| `-U` | Specifies that `accountname` is a user account. | |
| 35 | +| `-Q` | Queries for any existing SPNs. | |
| 36 | +| `-X` | Performs a search of duplicate SPNs. | |
| 37 | +| `-P` | Suppresses progress to the console and can be used when redirecting output to a file or when used in an unattended script. No output is displayed until the command is complete. | |
| 38 | +| `-F` | Performs queries at the forest, rather than domain level. | |
| 39 | +| `-T` | Performs a query on the specified domain (or forest when `-F` is used). | |
| 40 | +| `-?` or <br>`/?` | Displays the command-line help information. If you run `setspn` without this parameter, it also displays the command-line help information. | |
| 41 | + |
| 42 | +> [!NOTE] |
| 43 | +> `-C` and `-U` are exclusive. If neither is specified, the tool interprets `accountname` as a computer name if such a computer exists, and a user name if it doesn't. |
| 44 | +
|
| 45 | +## Remarks |
| 46 | + |
| 47 | +Query Mode modifiers can be used with the `-S` switch in order to specify where the check for duplicates should be performed before adding the SPN. |
| 48 | + |
| 49 | +- `-T` can be specified multiple times. To indicate the current domain or a forest, use `""` or `*`. |
| 50 | + |
| 51 | +- `-Q` executes on each target domain or forest. |
| 52 | + |
| 53 | +- `-X` returns duplicates that exist across all targets. SPNs aren't required to be unique across forests, but duplicate SPNs can cause authentication issues during cross-forest authentication. |
| 54 | + |
| 55 | +- SPNs must be constructed using the base name of the account specified as the _accountname_ parameter. If this condition isn't met, the directory service returns a constraint violation error. |
| 56 | + |
| 57 | +You might not have the rights to access or modify this property on some account objects. You can determine what your access rights are by viewing the security attributes of the account object using the Microsoft Management Console (MMC) in Active Directory Users and Computers. You can also delegate the permission by assigning the Validated write to service principal name permission to the desired user or group. |
| 58 | + |
| 59 | +The built-in SPNs that are recognized for computer accounts are: |
| 60 | + |
| 61 | +``` |
| 62 | +alerter eventlog netlogon rpc snmp |
| 63 | +appmgmt eventsystem netman rpclocator spooler |
| 64 | +browser fax nmagent rpcss tapisrv |
| 65 | +cifs http oakley rsvp time |
| 66 | +cisvc ias plugplay samss trksvr |
| 67 | +clipsrv iisadmin policyagent scardsvr trkwks |
| 68 | +dcom messenger protectedstorage scesrv ups |
| 69 | +dhcp msiserver rasman schedule w3svc |
| 70 | +dmserver mcsvc remoteaccess scm wins |
| 71 | +dns netdde replicator seclogon www |
| 72 | +dnscache netddedsm |
| 73 | +``` |
| 74 | + |
| 75 | +These SPNs are recognized for computer accounts if the computer has a host SPN. Unless they're explicitly placed on objects, a host SPN can substitute for any of the mentioned SPNs. |
| 76 | + |
| 77 | +SPNs aren't case sensitive when used by Microsoft Windows-based computers. Any type of computer system can use an SPN. Many of these computer systems, especially UNIX-based systems, are case-sensitive, and require the proper case to function properly. Care should be taken to use the proper case particularly when an SPN is used by a non-Windows-based computer. |
| 78 | + |
| 79 | +## Examples |
| 80 | + |
| 81 | +To list all the registered SPNs for an account, type: |
| 82 | + |
| 83 | +```cmd |
| 84 | +setspn -L <accountname> |
| 85 | +``` |
| 86 | + |
| 87 | +To reset the SPNs for a computer account, type: |
| 88 | + |
| 89 | +```cmd |
| 90 | +setspn -R <accountname> |
| 91 | +``` |
| 92 | + |
| 93 | +To register the SPN _http/MyServer_ for user account _User01_, type: |
| 94 | + |
| 95 | +``` |
| 96 | +setspn -U -S http/MyServer User01 |
| 97 | +``` |
| 98 | + |
| 99 | +To add a new SPN to a domain account that doesn't have one set, type: |
| 100 | + |
| 101 | +```cmd |
| 102 | +setspn -S http/myserver.mydomain.com myDomain\myServer |
| 103 | +``` |
| 104 | + |
| 105 | +To remove an SPN from an account, type: |
| 106 | + |
| 107 | +```cmd |
| 108 | +setspn -D http/myserver.mydomain.com myDomain\myServer |
| 109 | +``` |
| 110 | + |
| 111 | +To query all duplicate SPNs in your domain and the _contoso_ domain, type: |
| 112 | + |
| 113 | +``` |
| 114 | +setspn -T * -T contoso -X |
| 115 | +``` |
| 116 | + |
| 117 | +To find all the SPNs associated with _MyServer_ registered in the _contoso_ domain forest, type: |
| 118 | + |
| 119 | +``` |
| 120 | +setspn -T contoso -F -Q */MyServer |
| 121 | +``` |
| 122 | + |
| 123 | +## See also |
| 124 | + |
| 125 | +[Command-Line Syntax Key](/windows-server/administration/windows-commands/command-line-syntax-key) |
0 commit comments