Register SPN for system user Register SPN for the system user

A client requests a Kerberos service ticket from the Active Directory Domain Controller in order to access a kerberized web application. This Kerberos service ticket is issued for a service principal name (SPN) which must match the FQDN of the domain being accessed by the browser.

The SPN always starts with HTTP/ (no matter whether the URL is http or https), followed by the fully-qualified domain name (without any port nor path information). For example, the SPN for the URL  would be  HTTP/

The SPN must be registered to the previously created System User.

To add an SPN for domain, execute the following command in the PowerShell:

setspn -s HTTP/ syskerb-airlock-a
  • For the encryption types AES 128 and AES 256 a salt is required by the OS. Windows uses the UserPrincipalName, which is set to the registered SPN by executing this command. Because of this, a separate system user is required for each SPN!
  • A SPN can be registered only for one object (user or machine account). The SPN registration may fail or the authentication attempts may result in strange behavior if the SPN is registered several times. To find the object a SPN is registered to, run the command  setspn -Q HTTP/ . A SPN can be deleted from an object by running the command  setspn -D HTTP/ username

To retrieve important information about the system user, execute the command below (example output is displayed):

PS C:\> Get-ADUser syskerb-airlock-a -property userPrincipalName,sAMAccountName,pwdLastSet,servicePrincipalName,msDS-SupportedEncryptionTypes,msDS-KeyVersionNumber

DistinguishedName             : CN=syskerb-airlock-a,CN=Users,DC=airlock,DC=com
Enabled                       : True
GivenName                     :
msDS-KeyVersionNumber         : 3
msDS-SupportedEncryptionTypes : 16
Name                          : syskerb-airlock-a
ObjectClass                   : user
ObjectGUID                    : 2a0d9e42-fbfb-4f55-b8c7-a17493f91038
pwdLastSet                    : 131807014257991663
SamAccountName                : syskerb-airlock-a
servicePrincipalName          : {HTTP/}
SID                           : S-1-5-21-146862041-1632464460-2791201798-1138
Surname                       :
UserPrincipalName             : HTTP/