3 Simple Steps for Configuring an SPN for your Website

The following article is an excellent reference when trying to figure out how to set SPN’s for your IIS Site.

https://support.microsoft.com/kb/929650

I wanted to focus on the SPN helper script in the article, and how it can be used in a very simple way when setting your own SPN’s, to avoid the common pitfalls we see in support day in and day out.   So, copy the script out of that article into a file named spnhelper.vbs and follow the logic in this post when creating your own SPN’s.

Script Commands

I am posting these here as it is not easy to copy/paste them from the dialog they are presented in.

cscript spnHelper.vbs /f:spn /spn:HTTP/www.test.com /user:mydomain\apppool1
cscript spnHelper.vbs /f:spn /spn:HTTP/www.test.com /computer:iis6server1
cscript spnHelper.vbs /f:user /user:mydomain\apppool1
cscript spnHelper.vbs /f:computer /computer:iis6server1
cscript spnHelper.vbs /f:duplicatespn /spn:HTTP/www.test.com
cscript spnHelper.vbs /f:requiredspn

My Setup

This is the criteria for my test environment.

  • Domain:  domain.com
  • Application Pool Identity: domain\apppooluser
  • Host Header:  spntest.domain.com

NOTE:   In a NLB or Cluster setup the application pool is typically run as a domain user.  This is required so that the SPN can be the same on all of the machines that are part of the NLB or cluster environment.

The 3 Simple Steps

Step 1:  Determine the correct SPN

We can use the /f:requiredspn option in the script file to determine the SPN to set for our web site.  Based on the setup of my web site and environment mentioned above I get the following prompts:

  • Is IIS running in a Cluster or NLB   - No
  • Is IIS application pool running under domain account – Yes
  • Enter the hostname or host header or FQDN that you use to access the application – spntest.domain.com
  • Enter the Domain Account that the application pool is running under – domain\apppooluser

When I run the command I get the following output:

C:\Secret\Path>cscript.exe spnhelper.vbs /f:requiredspn

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

You need to set SPN HTTP/spntest.domain.com for domain account domain\apppooluser

Step 2:  Check for Duplicate SPN’s

The first thing you might want to do is immediately set the SPN that is required.  But before doing so we should check for duplicates as follows.  Below is output when duplicates are detected, as well as when no SPN’s are detected.

C:\Secret\Path>cscript.exe spnhelper.vbs /f:duplicatespn /spn:http/spntest.domain.com

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Class: Computer
CN=NINJA,CN=Computers,DC=domain,DC=com
User Name: NINJA$

Class: Person
CN=Application Pool,CN=Users,DC=domain,DC=com
User Name: apppooluser

Duplicate SPNs found
http/spntest.domain.com for Computer:NINJA$
http/spntest.domain.com for Person:apppooluser

Found 2 accounts

In the above case, I need to remove the Computer SPN, as my application pool is running as a domain user.   Here is the output when a duplicate SPN is not found:

C:\Secret\Path>cscript.exe spnhelper.vbs /f:duplicatespn /spn:http/spntest.domain.com

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

No duplicatespn found with the given criteria.

Step 3:  Setting the SPN

Once duplicates have been checked with no duplicates found, we can set the SPN:

C:\Secret\Path>setspn.exe -a http/spntest.domain.com domain\apppooluser

Registering ServicePrincipalNames for CN=Application Pool,CN=Users,DC=domain,DC=com

        http/spntest.domain.com
Updated object

Conclusion

The main point we want to illustrate here is to check for duplicate SPN’s before registering them.  This will help save a lot of grief when troubleshooting problems with SPN’s and Kerberos authentication.

Comments