SETSPN -A with Windows 2012 does a duplicate check upfront

If you have followed my posts, or caught my sessions at PASS, you may have figured out that Kerberos is one of my strength areas.  I recently setup a Windows 2012 server to just see how SharePoint Integration with Reporting Services would work out. 

As I was doing that, I knew I would need the HTTP SPN configured for my SharePoint server.  As I created the SPN, I saw something very interesting.


The “Checking domain” piece made me assume that this was actually seeing if the SPN existed.  Basically checking to make sure this wouldn’t be a duplicate.  Then I decided to validate that assumption.

I have a bogus SPN sitting on my Claims Service account to allow me to setup delegation.  I’m going to use that for the test.  it is just “my/spn”


So, lets try adding that to another account.


That’s awesome!

I also found this documentation on TechNet discussing what is new with Kerberos in Windows 2012.

What's New in Kerberos Authentication (Windows 2012/Windows 8)

Of note, this functionality actually existed within the Windows 2008/R2 SetSPN as the –S switch.  With the Windows 2012 version, –A just behaves the same as –S now.  Which is good.

Adam W. Saxton | Microsoft Escalation Services

Comments (0)

Skip to main content