Where is setspn.exe located

To manually register the SPN that is shown as missing in the figure above, you would enter the command shown in the following figure. If a computer is unable to verify the SPN of a computer, a connection request may be denied or fail.

For example, one error you might encounter is the target principal name is incorrect. You can try running the following command on a domain controller displaying such an error:. That command will check for missing and duplicate SPNs as well as other errors.

When troubleshooting these issues, you should be sure to verify DNS connectivity. Once you have SPNs in place, there's an additional tab available in the ADDS users and computers mmc where you can choose delegation settings. See Kerberos authentication and delegation: ServicePrincipalNames for more info. Office Office Exchange Server. Not an IT pro? United States English. Post an article. Subscribe to Article RSS. Click Sign In to add the tip, solution, correction or comment that will help other users.

Report inappropriate content using these instructions. Table of Contents. You only need to specify a port when a non-default port is used for the service. See Port Numbers for a list of assigned port numbers. Membership in Domain Admins , or equivalent, is the minimum required to complete this procedure. Click View , and verify that the Advanced Features check box is selected. If the domain to which you want to allow a disjoint namespace does not appear in the console, take the following steps:.

In the Domain box, type the name of the Active Directory domain to which you want to allow the disjoint namespace, and then click OK. As an alternative, you can use the Browse button to locate the Active Directory domain. In the console tree, right-click the node that represents the domain to which you want to allow a disjoint namespace, and then click Properties.

In Enter the object name to select , type the group or user account name to which you want to delegate permission, and then click OK.

At the bottom of the Permissions box, select the Allow check box that corresponds to the Validated write to service principal name permissions, and then click OK on the three open dialog boxes to confirm your changes. However, if you are using Windows Server or earlier, you will not be able to use the -S switch because it is not available for that platform. In the case where you cannot use -S, then you should manually verify that there are no duplicate SPNs by first running Setspn -L. The syntax is:.

Normally, this is the NetBIOS name of the computer and optionally the domain that contains the computer account. However, any desired Active Directory object name can be used. Displays help at the command prompt. This parameter is the default: if you run setspn run without this parameter displays the SPN command-line usage.

If neither is specified, the tool will interpret accountname as a computer name if such a computer exists, and a user name if it does not. Usage: setspn -T domain switches and other parameters. Query Mode modifiers can be used with the -S switch in order to specify where the check for duplicates should be performed before adding the SPN.

Service Principal Names SPNs are not required to be unique across forests, but duplicate SPNs can cause authentication issues during across-forest authentication. SPNs can only be constructed by using the account base name as the Computer parameter. The directory service enforces this by generating a constraint violation error.

You may not have the rights to access or modify this property on some account objects. A user can have multiple SPNs set to host multiple webservers or hostnames. We recommend to always set the SPN for the short hostname and the long full qualified domain name. To access the web interface of the conversion servers, SPNs need to be set too. Note: Fabasoft recommends not to use this workarounds, if the SPNs can be set.

Use these workarounds only temporarily. In a Microsoft Windows environment, the Fabasoft Folio Web services run with a specified domain user webservice user. In Active Directory, the web service user needs to have permissions to run a service in this case http in the domain. This permission is set by the SPN.