Kerberos SPN Viewer and Helper Tool Sample
Kerberos SPN Viewer and Helper Tool
Here is the sample tool I have written to simplify listing the ServicePrincipalName (SPN) and an integrated helper tool which can help us find out what SPN should we set based on the configuration that we are using.
The Viewer part of the tool is meant to display the SPNs registered for a given criteria. Viewer Tab as you can see below expects the following as Input for displaying the results.
- Account Info
- You can either select a Computer Account or Domain Account or Both for which you like to view the SPNs for.
- If you select Computer Account, you specify the NETBIOS name of the machine. Example: IISPRODSVR. This will search for all the computers accounts registered in the forest.
- If you select the Domain Account you can specify simply the UserName. Example JohnDoe. You don't have to specify the domain name. This will search for all the user accounts in the forest.
- If you select Both, this will search for both the Computer & User accounts.
- Using a "*" for a wildcard search. But using a wild card search might take a long time. You do not really need to look at all the SPNs in the entire forest anyway.
- Search By SPN Type
- This has a list of predefined Service Classes that you can select from. Either you can select one of them or select "*" which will look for all the SPN classes registered with the given criteria. This is the first part of the SPN HTTP/IISPRODSRV.myDomain.com
- Hostname is the second part of the SPN HTTP/IISPRODSRV.myDomain.com. Either you can enter the "*" or the Hostname if you have this info.
- SPN List
- This pane will show you the list in a treeview. Right clicking the treeview will expand the tree.
- Status
- This will display status of the query or any other info which might be thrown by the application when you hit the Query Button at the bottom.
The Helper part of this tool is meant for users to find the SPN that they require to set based on the application they are using. The UI is made simple and easy to understand and use.
- Technology
- You can choose IIS or SQL based in this based on whether you are attempting to find the required SPNs for IIS or SQL
- IIS will use the default port as 80 and if you are configuring a different port you may wants have a look at the knowledge base article KB929650 https://support.microsoft.com/kb/929650 or 908209 (https://support.microsoft.com/kb/908209/ ) Internet Explorer 6 cannot use the Kerberos authentication protocol to connect to a Web server that uses a non-standard port on Windows XP or Windows Server 2003
- If you are choosing the SQL option, you will notice the port textbox gets enabled to allow you specify the port SQL is running under.
- Details
- The CheckBox at the top is for specifying the service that you want to set/find spn for is Clustered or Not
- If you are using a domain account as the service identity you specify that in the Account Name textbox. If you are using Machine Account like Network Service or Local System, you can choose Machine Account. You do not have to specify any name in this case.
- Machine Name text can be used to specify the Netbios name of the machine the service is running on. If the Service is clustered, then you can specify the Clustername in this.
- If you are using a host header instead of cluster name to access the service, you will need take care of couple of additional things here
- If the host header you are using is created as an CNAME in DNS, then you will require the SPN for the FQDN of what the ALIAS is mapped to.
- If the host header is created as a HOST RECORD in DNS, you will require SPN for the FQDN of the HOST header.
- The machine name or cluster name that you specify should be able to resolve through DNS. Make sure you are able to resolve the machine name properly.
Comments
- Anonymous
June 19, 2012
not sure if this is still an application you intend to work on. but can I request a couple of additions?
- make the window resizable (it's difficult to read the list without the resizable text field currently)
- allow custom services instead of the ones in the drop down. (attempted to put the service that was being investigated, query returned null) had to troubleshoot spn's on various kerebos authentication application implementations. (dynamics NAV, Dynamics CRM, sharepoint, exchange, actividentity cms) this would have come in handy. other than my pet peeve's this is a great tool. much faster than typing setspn -l (blahblah)