SETSPN -A with Windows 2012 does a duplicate check upfront

If you have followed my posts, or caught my sessions at PASS, you may have figured out that Kerberos is one of my strength areas.  I recently setup a Windows 2012 server to just see how SharePoint Integration with Reporting Services would work out. 

As I was doing that, I knew I would need the HTTP SPN configured for my SharePoint server.  As I created the SPN, I saw something very interesting.

image

The “Checking domain” piece made me assume that this was actually seeing if the SPN existed.  Basically checking to make sure this wouldn’t be a duplicate.  Then I decided to validate that assumption.

I have a bogus SPN sitting on my Claims Service account to allow me to setup delegation.  I’m going to use that for the test.  it is just “my/spn”

image

So, lets try adding that to another account.

image

That’s awesome!

I also found this documentation on TechNet discussing what is new with Kerberos in Windows 2012.

What's New in Kerberos Authentication (Windows 2012/Windows 8)
https://technet.microsoft.com/en-us/library/hh831747.aspx

Of note, this functionality actually existed within the Windows 2008/R2 SetSPN as the –S switch.  With the Windows 2012 version, –A just behaves the same as –S now.  Which is good.

Adam W. Saxton | Microsoft Escalation Services
https://twitter.com/awsaxton