SETSPN is a command to use from an elevated Command Prompt or Powershell window:
• The SETSPN command will accept any string in the data part of the command, so triple check what you have typed
• Kerberos does not tolerate duplicate SPNs, even though they can mistakenly exist:
• From a Domain Controller check for duplicates using “SETSPN -X”
• If there are duplicate SPNs, delete all of them before creating a single correct SPN in their place
• SPNs are permanent until deleted
• New SPNs can take quite some time, to propagate throughout your network
• If local firewalls are used, ports will need to be opened for the services they provide
Examples:
• Web Server web sites
• Setspn -s https/conquestapi.conquest-solutions.com.au ServerName$
• Setspn -s https/conquestprod.conquest-solutions.com.au ServerName$
• SQL Server Reporting Services
• Setspn -s http/report2.conquest-solutions.com.au ServerName$
• File System
• Setspn -s cifs/krejza.conquestsolutions.local ServerName$