Assigning SPNs using the setspn utility

The Active Directory administrator uses the setspn.exe utility to define the required DNS names in URLs as SPNs in an Active Directory account. To define SPNs in an account, the Active Directory administrator must belong to either the Domain Admins group or Enterprise Admins group or must have the Validated write to service principal name permission.

About this task

The Active Directory administrator performs the following steps:

Note: If you used the domspnego.cmd utility, the utility generated an output command file with suggested setspn commands for your Active Directory administrator to use to define SPNs.

Procedure

  1. Verify that the IBM® Domino® server has a valid Domain Name System (DNS) configuration. For example:

    enter the following command to verify that DNS can retrieve the IP address for the Domino service name:

    nslookup service_fully_qualified_domain_name

    enter the following command to verify that DNS can retrieve the Domino service's fully qualified name:

    nslookup domino_server_ip_address
    Note: Your Domino server might be accessed through a DNS alias. If so, you will need to define an SPN for the alias. See additional information at the end of this topic.
  2. Verify that the setspn.exe is installed, for example in C:\Program Files\Support Tools. If it is not, install it from the Windows Support Tools package available on the Windows CDs or from the Microsoft download site.
  3. Run the following command to define each DNS host name you recorded in the previous procedure as an SPN in your chosen Active Directory account. Specify HTTP/ even for HTTPS URLs. 
    setspn -a HTTP/dns_name account name

    where

    dns_name is a dns host name recorded in the previous procedure, and

    account name is the account the Domino server uses when the Domino Windows service logs on. If using the Local System account, the account name is the simple name of the computer on which Domino runs, for example domino1.

    Note: Assign a particular SPN to one account only. Windows single sign-on for Web clients will not function if one SPN is assigned to more than one account.
  4. Use the setspn command to verify that the SPN is defined properly: 
    setspn -l account name

Results

To delete an SPN from an account, use the setspn command with the -d switch rather than the -a switch. For example, you might do this to delete an SPN from one account before assigning it to another account. Remember that an SPN can be assigned to one account only.

Determining if your Domino server is accessed through a DNS alias

About this task

Your Domino server might be accessed through an alias. In DNS, a CNAME (Canonical Name) record may define an alias. In some scenarios, the client browser may use DNS to resolve a CNAME alias to a hostname when determining the SPN for which to request a Kerberos service ticket; in this case you need an SPN defined for the resolved host name that the alias represents.

To investigate your DNS settings for aliases used by your Domino server, from a command prompt you use the nslookup command in interactive mode with debug settings (set d2). For example, to see DNS information that includes which hostname your alias www.renovations.com resolves to, enter: 

C:\>nslookup 
> set d2 
> www.renovations.com

If the output of nslookup identifies www.renovations.com as a CNAME alias for the hostname server3.ad.east.renovations.com, you will need an SPN for HTTP/server3.ad.east.renovations.com.

Related concepts:
Assigning SPNs using the domspnego utility
Related tasks:
Verifying that the Domino server is logged on under the correct account
Setting up the Windows service for Domino
Related reference:
Examples of account choices and SPNs

Related information

Troubleshooting Windows single sign-on for Web clients (SPNEGO)