Using the ActiveDirectorySPN module you can quickly and efficiently build and manage AD SPNs and do so more easily than using the typical tools. This article shows you how to use this PowerShell module to build and manage AD SPNs the easy way.
Active Directory Service Principal Names (SPNs) are a necessary part of AD. They are a way of uniquely defining various instances of services. SPNs have always been confusing to me; I could never remember the syntax when creating one. Who could with a string that looks like this: print/prt1.ntdom.reskit.com:1234/cn=bldg26,dc=ntdom,dc=reskit,dc=com
AD SPNs contain four different attributes in this form: <service type>/<host name>:<port number>/<distinguished name>. Some attributes are required and some are not. I was tired of using legacy tools like setspn.exe to clumsily build these SPNs by trial and error. This is why I decided to build a much more structured—read less error-prone way—of creating Active Directory SPNs. I did this through a new PowerShell module I call ActiveDirectorySPN. Let’s go over how to use this PowerShell module to build and manage AD SPNs.
MORE: All PowerShell Tutorials
MORE: PowerShell Best Practices
Using The ActiveDirectorySPN PowerShell Module
First, you’ll need to download the module and get it imported into your PowerShell session. Once you do this, you’ll have all of the various functions available to you.
The first thing I always do when looking at a new PowerShell module is to see what functions are available inside.
It looks like we’ve got support for both user and computer SPNs.
Next, I’ll run a Get function to see if I receive any errors. Let’s try Get-ADComputerSpn to see if it finds my computer SPNs in my domain.
Great! It found them! It also looks like it’s not representing SPNs like I’m used to (in that big string format). It’s breaking apart the individual components into object properties, which is much easier to understand.
Now that I know I can find computer SPNs, let’s try to create a computer SPN. I’ll refer to the help built into the New-ADComputerSpn function and see if there’s any examples of how to do this.
It looks like there’s a good example associated with this function. Let’s try to create a computer SPN to see if it works. In this example, I’m creating a SPN for the MEMBERSRV1 computer account. There is a LDAP service running on this computer and I’d like to define a hostname of MYHOST to it.
New-ADComputerSpn –ComputerName MEMBERSRV1 –ServiceClass ldap –HostName MYHOST
Now that I’ve created it, let’s use Get-ADComputerSPN and specifically query the MEMBERSRV1computer to check to see if the SPN was actually created.
You can see that it did find the new SPN.
The same can also be done for any user as well. Simply replace the Computer reference in the function names to User. Query for and create the SPNs in the exact same fashion.
If you’ve ever created AD SPNs the old-fashioned way you can see that by using PowerShell and this module the task has become much easier. No longer do you have to create and manage SPNs by long strings but you can leverage the intelligence of PowerShell code to read and create SPNs in a much more structured way.