Query/Change SPNs on Windows Domain without SetSPN

Question

Hi All,

Has anyone had any luck with querying/changing SPNs on a Windows domain? Most of the hits on Google are SQL related: I can't find any information on how to do this myself. The most important things would be to query to SPN configuration and check for duplicates.

According to Arnout I made the following code:

    static void Main(string[] args)
    {
        ValidateSPN("K2Server/jonathand-vpc:5252");
    }

    static void ValidateSPN(string spn)
    {
        const string queryFormat = "(ServicePrincipalName={0})";

        using (Domain localDomain =
            Domain.GetCurrentDomain())
        {
            using (DirectorySearcher search = new DirectorySearcher(
                localDomain.GetDirectoryEntry()))
            {

                search.Filter = string.Format(queryFormat, spn);
                search.SearchScope = SearchScope.Subtree;

                SearchResultCollection collection = search.FindAll();

                if (collection.Count > 1)
                    throw new Exception("Duplicate SPNs found.");
                else if (collection.Count == 0)
                    throw new Exception("No such SPN");
            }
        }
    }

Answer 1

It looks like this information is stored in the servicePrincipalName AD attribute. See this page for more info, in particular the "Search using LDIFDE" section.

Answer 2

You can use Search.VBS in the support tools to search for duplicate SPNs:

"C:\Program Files\Support Tools\search.vbs" "LDAP://DC=Your,dc=Domain,dc=Here" /C:"(serviceprincipalname=K2Server/jonathand-vpc:5252)" /S:Subtree /P:DistinguishedName