Questions tagged [spn]
a service principal name (SPN) that is used to identify an instance of a service in a particular domain
63
questions
14
votes
1
answer
40k
views
Why is MS SQL Server Using NTLM Authentication?
Windows Server 2008 R2.
SQL Server 2008 R2 installed.
MSSQL Service runs as Local System.
Server FQDN is SQL01.domain.com.
SQL01 is joined to an Active Directory domain named domain.com.
The ...
11
votes
2
answers
40k
views
Permissions to create an spn
According to some of the documentation I've read the service account for SQL server will create an SPN when the database engine starts up, allowing for kerberos authentication. I haven't been able to ...
8
votes
1
answer
23k
views
"setspn -s" vs. "setspn -a"
According to the Setspn Overview, it's discouraged to use Setspn -A to add an SPN record and it's suggested to use Setspn -S instead.
It's said that Setspn -S checks if SPN already exists before ...
8
votes
1
answer
23k
views
Create SPN with setspn.exe - Insufficient access rights
On a Windown Server 2008 Domain Controller, I'm attempting to add a Service Principal Name (SPN) to a user account 'Postmaster' in order to enable Kerberos authentication from a Communigate email ...
8
votes
1
answer
6k
views
Active Directory 2012 LDAP Integration Service Principal Name Entry is Disappearing?
Creating Python Service to Query AD Attributes
I'm integrating our AD with web services running Python on linux using Python-LDAP over SASL(DIGEST-MD5) to query AD 2012 user attributes (division, ...
7
votes
2
answers
11k
views
creating an SPN from a linux build server
I'm setting up a process which would automatically create the SPNs for newly exposed service URLs. I am aware of how to create an SPN with Windows using the setspn -A command with the right priviliges....
7
votes
1
answer
21k
views
Creating keytabs and service principal names
I'm trying to set up a keytab for a Java server to support Kerberos authentication on a Windows network. I'm struggling to get it working even at the level of the command line tools, haven't even got ...
6
votes
2
answers
17k
views
help using setspn and ktpass
I'm trying to set up the SPNs and create a keytab file for tomcat kerberos spnego Single sign on.
the server running tomcat7 is ubuntu-ad1.wad.eng.hytrst.com
the KDC is kerberos.wad.eng.hytrust.com
...
6
votes
3
answers
30k
views
Will kerberos work with CNAMEs if I have the SPN created for the A record as well?
We are currently setting up a SQL 2012 environment and it will be used for storing data that will be accessed by SSRS in sharepoint integrated mode. We will be using Kerberos for authentication.
...
6
votes
3
answers
67k
views
Get SPN error when trying to join a machine to a domain
I am trying to join a Windows Server 2016 VM called BORON to a domain which has a Windows 2012 R2 domain controller. The DC name is SNOWDROP.DUCK.LOC When I try to join I get this error:
The ...
6
votes
1
answer
17k
views
Active Directory replication target principal name incorrect
I have a small 2 DC domain using Win 2008 R2 machines. Recently, one had to be restored using backup exec system recovery.
Now the two are failing replication. I have ran DCDIAG on both (see below) ...
5
votes
3
answers
18k
views
Kerberos - Adding a SPN to a Domain User
When adding a new SPN into the Kerberos domain, you have the option of mapping the SPN to a user. In general, I join the domain through Integrated Windows Authentication, and this creates a new ...
5
votes
2
answers
9k
views
Why does a SPN on a different host cause a server to lose its trust? How should I fix it?
I have a brand new server image that loses its trust as soon as it's joined to the domain. I suspect it's because of the duplicate SPN I discovered using the LDAP version of this Powershell script
...
4
votes
1
answer
8k
views
Can I share one SPN between two service accounts?
I am running IIS and SQL Reporting Server on the same server. IIS runs as d\acct1 and SSRS is running as d\acct2.
Initially, I registered an SPN HTTP/server.d.com for both d\acct1 and d\acct2 and ...
4
votes
1
answer
1k
views
Kerberos issues after new server of same name joined to domain
Environment: Windows Server 2012, 2 Domain Controllers, 1 domain.
A server called Sharepoint1 was joined to the domain (running
Sharepoint 2013 using NTLM).
The fresh install for Sharepoint1 (OS and ...
3
votes
2
answers
184
views
Are SPNs specific to Windows and Active Directory?
Are Service Principle Names specific to Active Directory on Windows? Or do they exist in Linux OpenLDAP / Kerberos KDC servers too?
3
votes
2
answers
7k
views
Why should I not run setspn.exe on the domain controller?
I found several references (see below) on blogs that the setspn.exe utility should be run from either a client or server machine in the domain, but not from the domain controller itself.
http://www....
3
votes
1
answer
1k
views
SPNs and Kerberos Delegation
I would like to check my understanding. This is a fully hypothetical scenario below as I am currently studying for a certification.
I have an IIS App Pool with a basic website, which accesses data ...
3
votes
1
answer
263
views
What SPNs are needed for an intranet web service that reads remote registries
Imagine a website that shows the value of a remote registry key, live, such as the version of the anti-virus definitions on a remote PC. To be clear, there are 3 computers involved, the web server ...
3
votes
1
answer
199
views
Why deploy Kerberos for Exchange 2010 SP1 RU3?
The first version of Exchange 2010 to support Kerberos is SP1 RU3. It does this through the RollAlternateServiceAccountCredential.ps1 commandlet.
Besides implementing "better" security, does this ...
3
votes
1
answer
1k
views
Linux pod authenticate to MS-SQL windows server using keytab
Cannot get Kerberos auth working from linux to MS-SQL server on windows.
Added new user in AD.
New-ADUser -Name "user" -GivenName "user" -SamAccountName "user" -...
3
votes
2
answers
379
views
setspn does not affect Active Directory Users
I run the setspn command for specific user on Domain Controller.
C:\>setspn -s example/username.companyname.com username
Checking domain DC=companyname,DC=com
Registering ServiceprincipalNames ...
3
votes
1
answer
3k
views
Kerberos Error APP_MODIFIED when using a CNAME DNS record
I have a production server, which I'll call CONTOSO\MachineA, running SQL Server. I have a development server, which I'll call CONTOSO\MachineB, running IIS. Both servers are running Windows Server ...
3
votes
1
answer
14k
views
SPN settings in a ADFS 3.0 lab setup
I am a developer trying to understand authentication with ADFS (2012 R2), so I am trying to setup an ADFS lab.
I have found 2 guides:
doc1 - http://technet.microsoft.com/en-us/library/dn280939.aspx
...
3
votes
2
answers
5k
views
List all kerberized SPN's in Linux
Is there a way to list/show all SPN's in an kerberized AD using a Linux Client?
In Windows one can use setspn -T <domain> -Q */* to get them. Is there something similar? Haven't found anything ...
2
votes
1
answer
3k
views
SPN generation for multiple service account on a Web server
I am trying to achieve Azure SSO in my organisation. I have a web server hosting multiple websites and web application under those sites. Users access them in below fashion
https:// < SiteName >...
2
votes
1
answer
2k
views
Samba AD: Create keytab for computer without net ads join?
Gist: I have set up a samba as AD DC. I'd like to export a keytab for SPNs for a computer account only without having the computer to run samba itself, or issue net ads join. Running samba-tool domain ...
2
votes
2
answers
2k
views
Adding new SPNs to existing service ids
We have a tomcat server using spring-security kerberos to authenticate users to the webpage against active directory.
There are around 25 domain controllers.
The site has two CNAME based DNS aliases....
2
votes
2
answers
5k
views
need help in setting up SPN for Kerberos Authentication
I am using IIS 7 for setting up a website under windows authentication. I am seeing authentication issue which i am almost sure that it is related to kerberos issue and i am wrongly setting up SPN. ...
2
votes
0
answers
154
views
Kerberos Double Hop - SQL2014 HA - MSA's
OK, so i'm at my wits end.
We have a system which works perfectly in our UAT environment (not HA) but will not work in live.
so the config is:
dns A record to iis box
binding in iis on :80 to ...
1
vote
1
answer
43
views
Restrict using Azure Service Principal by Humans
We have some people who are using SPs manually (themselves) to run commands and deploy resources from CLI.
We need to prevent that and allow only services to use SPs, not Humans.
Is there any way to ...
1
vote
1
answer
291
views
Is it possible for two legs of a service to have the same SPN? Or at least clients refer to a single identity?
For a WCF service "SuperService", installed on two separate servers "Server1" and "Server2" - is it possible to have a single SPN identity string to which the WCF client "SuperClient" can refer?
Such ...
1
vote
1
answer
7k
views
RDP from 2008 R2 through a tunnel fails
I'm trying to RDP from a Win7 to a 2008 R2 machine through a tunnel (think SSH, but not exactly).
It fails and the following is in the 2008 R2 (destination) event log:
System Event Log, LsaSrv ...
1
vote
1
answer
653
views
Confusion about Kerberos, delegation and SPNs
I already posted this question on SO, but the nature of it is between programming and server configuration, so I'll re-post it here as well.
I'm trying to write a proof-of-concept application that ...
1
vote
2
answers
6k
views
Windows Authentication KRB5KRB_AP_ERR_MODIFIED
Let me preface by saying, I've been on this issue for about a week and a half now and I can't figure it out. I think I'm close, but every time I've thought that so far, I was wrong. I've looked at ...
1
vote
2
answers
2k
views
RDP to an Alias
I have a server that has since been decommissioned and I have some services that have been moved over to another server however these servers still point to the old server so I have set up a Cname for ...
1
vote
1
answer
6k
views
Clear SPN changes from server cache
We have in house IIS apps built on ASP .Net 2.0 running on IIS 7.5- Server 2008 R2 x64. Back end is SQL 2005. It uses Kerberos (Windows integrated) authentication. Once in a while we need to change ...
1
vote
2
answers
9k
views
IIS and Integrated Windows Authentication - login doesn't work for domain.com, works for IP address, localhost, 127.0.0.1
I've installed Windows Server 2003 R2 and IIS role (no Active Directory role).
I've setup a virtual directory named 'test' and under Security tab of the 'test' Virtual Directory I've disabled the ...
1
vote
0
answers
235
views
Forest trust: SPN mismatch for non-fully-qualified name
Setup
All computers running Windows Server 2019.
Domain A
Item
Value
Fully Qualified
Domain Name
DomainA
DomainA.local
User
UserA
[email protected]
Server
FileServer
FileServer.DomainA.local
...
1
vote
0
answers
175
views
New SPN required when renaming server?
I am in the process of decommissioning a Win 2008 server, that runs an app that uses Kerberos authentication, and has an SPN created for our service account. The replacement server will be renamed to ...
1
vote
0
answers
84
views
Configure HTTP SPN for a domain user account on Windows Server 2012R2
I have a Windows 2012R2 Server and I would like to use Kerberos authentication with my IIS web applications. How do I set the SPN and map the users for HTTP and HTTPS services for a given use account ...
1
vote
0
answers
3k
views
Issues identifying SPNs
Background
We are performing a server move. In the process, new servers and service accounts have been created. I'm getting two issues which I think are related to SPN's:
I've created some SQL ...
1
vote
0
answers
521
views
Setting up SPN for SSRS in a CRM load balance environment
I'm getting this exception randomly in a CRM load balance LIVE environment when running Reports from CRM.
System.ServiceModel.Security.SecurityNegotiationException: A call to SSPI failed, see inner ...
1
vote
0
answers
621
views
Set SPN for all users in domain
I have a Windows 2008 R2 domain controller with more than 60 user accounts. Each time one of these users tries to connect to the DC authentication "falls back" to NTLM. Kerberos authentication fails ...
1
vote
0
answers
1k
views
Kerberos Issue on Aliased SharePoint Web Front Ends
I am having a problem with Kerberos working on SharePoint. Also note that I am a developer not a network guy so if I use the wrong terms I apologize but I hope my intent is clear.
We have two web ...
0
votes
2
answers
68
views
Set SPN To SQL With NT AUthority
I am trying to add SPN entries for my SQL server but SQL server is running under an NT Authority account like SYSTEM or LOCAL SERVICE.
When I put in the setspn code it says it can't find the user. Is ...
0
votes
1
answer
2k
views
Why would setspn -q return "no such spn found" when setspn -l finds the spn?
I'm attempting to troubleshoot why windows authentication is failing for a website hosted in IIS at a customer site. When executing setspn -l serviceUser to list the spns associated with a service ...
0
votes
1
answer
3k
views
How to set an SPN for SQL Server on a Workgroup
I'm trying to remote connect to my Sql server 2016 instance on my home server running on a workgroup. I need to set an SPN to do this. All the guides out there seem to be related to setting the SPN ...
0
votes
2
answers
2k
views
How to set the SPN for Postgres SSPI
I am trying to setup Postgres to support SSPI/Kerberos, however I think that I have not found out what the correct SPN that is needed to get it working.
The background details:
Service account for ...
0
votes
0
answers
10
views
SPN not working in azdevOps when creating b2c tenant in azure
When creating a new b2c tenant using automation from azuredevOps , SPN doesn;t work..
Only option is to use endpoint authenticated user.
'Failed'.","details":[{"code":"...