SETSPN -A with Windows 2012 does a duplicate check upfront

Published Jan 15 2019 02:35 PM 68 Views
Microsoft
First published on MSDN on Aug 17, 2012

If you have followed my posts, or caught my sessions at PASS, you may have figured out that Kerberos is one of my strength areas.  I recently setup a Windows 2012 server to just see how SharePoint Integration with Reporting Services would work out.

As I was doing that, I knew I would need the HTTP SPN configured for my SharePoint server.  As I created the SPN, I saw something very interesting.

The “Checking domain” piece made me assume that this was actually seeing if the SPN existed.  Basically checking to make sure this wouldn’t be a duplicate.  Then I decided to validate that assumption.

I have a bogus SPN sitting on my Claims Service account to allow me to setup delegation.  I’m going to use that for the test.  it is just “my/spn”

So, lets try adding that to another account.

That’s awesome!

I also found this documentation on TechNet discussing what is new with Kerberos in Windows 2012.

What's New in Kerberos Authentication (Windows 2012/Windows 8)
http://technet.microsoft.com/en-us/library/hh831747.aspx

Of note, this functionality actually existed within the Windows 2008/R2 SetSPN as the –S switch.  With the Windows 2012 version, –A just behaves the same as –S now.  Which is good.

Adam W. Saxton | Microsoft Escalation Services
https://twitter.com/awsaxton

%3CLINGO-SUB%20id%3D%22lingo-sub-317180%22%20slang%3D%22en-US%22%3ESETSPN%20-A%20with%20Windows%202012%20does%20a%20duplicate%20check%20upfront%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-317180%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20MSDN%20on%20Aug%2017%2C%202012%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3EIf%20you%20have%20followed%20my%20posts%2C%20or%20caught%20my%20sessions%20at%20PASS%2C%20you%20may%20have%20figured%20out%20that%20Kerberos%20is%20one%20of%20my%20strength%20areas.%26nbsp%3B%20I%20recently%20setup%20a%20Windows%202012%20server%20to%20just%20see%20how%20SharePoint%20Integration%20with%20Reporting%20Services%20would%20work%20out.%3C%2FP%3E%0A%20%20%3CP%3EAs%20I%20was%20doing%20that%2C%20I%20knew%20I%20would%20need%20the%20HTTP%20SPN%20configured%20for%20my%20SharePoint%20server.%26nbsp%3B%20As%20I%20created%20the%20SPN%2C%20I%20saw%20something%20very%20interesting.%3C%2FP%3E%0A%20%20%3CBLOCKQUOTE%3E%0A%20%20%20%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F67208i183ED755F2A347A9%22%20%2F%3E%3C%2FP%3E%0A%20%20%3C%2FBLOCKQUOTE%3E%0A%20%20%3CP%3EThe%20%E2%80%9CChecking%20domain%E2%80%9D%20piece%20made%20me%20assume%20that%20this%20was%20actually%20seeing%20if%20the%20SPN%20existed.%26nbsp%3B%20Basically%20checking%20to%20make%20sure%20this%20wouldn%E2%80%99t%20be%20a%20duplicate.%26nbsp%3B%20Then%20I%20decided%20to%20validate%20that%20assumption.%3C%2FP%3E%0A%20%20%3CP%3EI%20have%20a%20bogus%20SPN%20sitting%20on%20my%20Claims%20Service%20account%20to%20allow%20me%20to%20setup%20delegation.%26nbsp%3B%20I%E2%80%99m%20going%20to%20use%20that%20for%20the%20test.%26nbsp%3B%20it%20is%20just%20%E2%80%9Cmy%2Fspn%E2%80%9D%3C%2FP%3E%0A%20%20%3CBLOCKQUOTE%3E%0A%20%20%20%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F67209iB1DC944B6FEB15EC%22%20%2F%3E%3C%2FP%3E%0A%20%20%3C%2FBLOCKQUOTE%3E%0A%20%20%3CP%3ESo%2C%20lets%20try%20adding%20that%20to%20another%20account.%3C%2FP%3E%0A%20%20%3CBLOCKQUOTE%3E%0A%20%20%20%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F67211i9C41E8233E6BFCF2%22%20%2F%3E%3C%2FP%3E%0A%20%20%3C%2FBLOCKQUOTE%3E%0A%20%20%3CP%3EThat%E2%80%99s%20awesome!%3C%2FP%3E%0A%20%20%3CP%3EI%20also%20found%20this%20documentation%20on%20TechNet%20discussing%20what%20is%20new%20with%20Kerberos%20in%20Windows%202012.%3C%2FP%3E%0A%20%20%3CBLOCKQUOTE%3E%0A%20%20%20%3CP%3EWhat's%20New%20in%20Kerberos%20Authentication%20(Windows%202012%2FWindows%208)%3C%2Fimg%3E%20%3CBR%20%2F%3E%20%3CA%20href%3D%22http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fhh831747.aspx%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%20http%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fhh831747.aspx%3C%2FA%3E%3C%2FP%3E%0A%20%20%3C%2FBLOCKQUOTE%3E%0A%20%20%3CP%3EOf%20note%2C%20this%20functionality%20actually%20existed%20within%20the%20Windows%202008%2FR2%20SetSPN%20as%20the%20%E2%80%93S%20switch.%26nbsp%3B%20With%20the%20Windows%202012%20version%2C%20%E2%80%93A%20just%20behaves%20the%20same%20as%20%E2%80%93S%20now.%26nbsp%3B%20Which%20is%20good.%3C%2FP%3E%0A%20%20%3CP%3EAdam%20W.%20Saxton%20%7C%20Microsoft%20Escalation%20Services%20%3CBR%20%2F%3E%20%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2Fawsaxton%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%20https%3A%2F%2Ftwitter.com%2Fawsaxton%3C%2FA%3E%3C%2FP%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-317180%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20MSDN%20on%20Aug%2017%2C%202012%20If%20you%20have%20followed%20my%20posts%2C%20or%20caught%20my%20sessions%20at%20PASS%2C%20you%20may%20have%20figured%20out%20that%20Kerberos%20is%20one%20of%20my%20strength%20areas.%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-317180%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etroubleshooting%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUtilities%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Version history
Last update:
‎Jan 15 2019 02:35 PM
Updated by: