Home » IT - Microsoft » How To Create Active Directory SPNs The Easy Way With PowerShell

How To Create Active Directory SPNs The Easy Way With PowerShell

Escribe tu dirección de correo electrónico para suscribirte a este blog, y recibir notificaciones de nuevos mensajes por correo.

Join 5 other followers

March 2016
« Feb   May »



All messages posted to this blog are provided "AS IS" with no warranties, and confer no rights. The content of this site are personal opinions and might not represent the Microsoft Corporation view. Regarding any sample code that we provide: This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. This blog serves 2 purposes. Firstly, I want to share information with other IT pros about the technologies we work with and how to solve problems we often face. Secondly, I use my blog as a notebook. There's so much to learn and remember in our jobs that it's impossible to keep up. By blogging, I have a notebook that I can access from anywhere. Anything you do to your IT infrastructure, applications, services, computer or anything else is 100% down to your own responsibility and liability. Mcselles bears no responsibility or liability for anything you do. Please independently confirm anything you read on this blog before doing whatever you decide to do.

Using the ActiveDirectorySPN module you can quickly and efficiently build and manage AD SPNs and do so more easily than using the typical tools. This article shows you how to use this PowerShell module to build and manage AD SPNs the easy way.

Active Directory Service Principal Names (SPNs) are a necessary part of AD. They are a way of uniquely defining various instances of services. SPNs have always been confusing to me; I could never remember the syntax when creating one. Who could with a string that looks like this: print/prt1.ntdom.reskit.com:1234/cn=bldg26,dc=ntdom,dc=reskit,dc=com

AD SPNs contain four different attributes in this form: <service type>/<host name>:<port number>/<distinguished name>. Some attributes are required and some are not. I was tired of using legacy tools like setspn.exe to clumsily build these SPNs by trial and error. This is why I decided to build a much more structured—read less error-prone way—of creating Active Directory SPNs. I did this through a new PowerShell module I call ActiveDirectorySPN. Let’s go over how to use this PowerShell module to build and manage AD SPNs.
MORE: All PowerShell Tutorials
MORE: PowerShell Best Practices

Using The ActiveDirectorySPN PowerShell Module

First, you’ll need to download the module and get it imported into your PowerShell session. Once you do this, you’ll have all of the various functions available to you.

The first thing I always do when looking at a new PowerShell module is to see what functions are available inside.

It looks like we’ve got support for both user and computer SPNs.

Next, I’ll run a Get function to see if I receive any errors. Let’s try Get-ADComputerSpn to see if it finds my computer SPNs in my domain.

Great! It found them! It also looks like it’s not representing SPNs like I’m used to (in that big string format). It’s breaking apart the individual components into object properties, which is much easier to understand.

Now that I know I can find computer SPNs, let’s try to create a computer SPN. I’ll refer to the help built into the New-ADComputerSpn function and see if there’s any examples of how to do this.

It looks like there’s a good example associated with this function. Let’s try to create a computer SPN to see if it works. In this example, I’m creating a SPN for the MEMBERSRV1 computer account. There is a LDAP service running on this computer and I’d like to define a hostname of MYHOST to it.

New-ADComputerSpn –ComputerName MEMBERSRV1 –ServiceClass ldap –HostName MYHOST

Now that I’ve created it, let’s use Get-ADComputerSPN and specifically query the MEMBERSRV1computer to check to see if the SPN was actually created.

You can see that it did find the new SPN.
The same can also be done for any user as well. Simply replace the Computer reference in the function names to User. Query for and create the SPNs in the exact same fashion.

If you’ve ever created AD SPNs the old-fashioned way you can see that by using PowerShell and this module the task has become much easier. No longer do you have to create and manage SPNs by long strings but you can leverage the intelligence of PowerShell code to read and create SPNs in a much more structured way.

Source: http://www.tomsitpro.com/articles/powershell-create-active-directory-spns,2-7.html


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Microsoft on the Issues

News and perspectives on legal, public policy and citizenship topics

Mike Crowley's Whiteboard

“There are no limits to what you can accomplish when you are supposed to be doing something else."


There Be Dragons

Ken Cenerelli

My life in software development

VMware, Windows, Virtualization (Servers & Desktops)

VMware, Windows, Virtualization (Servers & Desktops)

Just a random "Microsoft Server / Client Tech" info..

"Feeding Your Training and Technology Obsessions"


WordPress.com is the best place for your personal blog or business site.


Documentación técnica, notas y apuntes sobre Administración de Sistemas, Servidores, Redes y más

Microsoft Taste

Mary's Blog

%d bloggers like this: