There is a lots of articles about enabling Kerberos authentication for Exchange 2010 CAS servers, but not much about what SPN (Service Principal Names) list. It is kind of easy to determine list of SPNs for particular servers. SPN records are similar in Exchange 2010 and Exchange 2013. Here is the procedure
- Open command line or Powershell under elevated permissions
- Type the following command
setspn -Q */*EX10* >> d:spn_records.txt
Explanation
- setspn.exe – name of utility, which can set SPN records or list their status
- -Q -switch to query mode (listing existing SPN records)
- */ wildcard of SPN name
- /*EX10* -names of the servers with wildcards
- >> d:spn_records.txt – direct output to file with append feature
Results
Result for Exchange CAS/HUB
CN=SRVEX10CH1,OU=Exchange,OU=Servers,DC=subdomain,DC=domain,DC=local POP3/SRVEX10CH1.subdomain.domain.local POP3/SRVEX10CH1 POP/SRVEX10CH1.subdomain.domain.local POP/SRVEX10CH1 IMAP4/SRVEX10CH1.subdomain.domain.local IMAP4/SRVEX10CH1 IMAP/SRVEX10CH1.subdomain.domain.local IMAP/SRVEX10CH1 SMTP/SRVEX10CH1 SMTP/SRVEX10CH1.subdomain.domain.local SmtpSvc/SRVEX10CH1 SmtpSvc/SRVEX10CH1.subdomain.domain.local exchangeRFR/SRVEX10CH1 exchangeRFR/SRVEX10CH1.subdomain.domain.local exchangeAB/SRVEX10CH1 exchangeAB/SRVEX10CH1.subdomain.domain.local ExchangeMDB/SRVEX10CH1 ExchangeMDB/SRVEX10CH1.subdomain.domain.local WSMAN/SRVEX10CH1 WSMAN/SRVEX10CH1.subdomain.domain.local TERMSRV/SRVEX10CH1.subdomain.domain.local TERMSRV/SRVEX10CH1 RestrictedKrbHost/SRVEX10CH1 HOST/SRVEX10CH1 RestrictedKrbHost/SRVEX10CH1.subdomain.domain.local HOST/SRVEX10CH1.subdomain.domain.local
Result for Exchange UM server
CN=SRVEX10UM1,OU=Exchange,OU=Servers,DC=subdomain,DC=domain,DC=local SmtpSvc/SRVEX10UM1.subdomain.domain.local SmtpSvc/SRVEX10UM1 WSMAN/SRVEX10UM1 WSMAN/SRVEX10UM1.subdomain.domain.local TERMSRV/SRVEX10UM1 TERMSRV/SRVEX10UM1.subdomain.domain.local RestrictedKrbHost/SRVEX10UM1 HOST/SRVEX10UM1 RestrictedKrbHost/SRVEX10UM1.subdomain.domain.local HOST/SRVEX10UM1.subdomain.domain.local
Result for Exchange PF/Mailbox server
CN=SRVEX10PF1,OU=Exchange,OU=Servers,DC=subdomain,DC=domain,DC=local MSSRVrverClusterMgmtAPI/SRVEX10PF1 MSSRVrverClusterMgmtAPI/SRVEX10PF1.subdomain.domain.local SMTP/SRVEX10PF1 SMTP/SRVEX10PF1.subdomain.domain.local SMTPSVC/SRVEX10PF1 SMTPSVC/SRVEX10PF1.subdomain.domain.local exchangeMDB/SRVEX10PF1.subdomain.domain.local exchangeMDB/SRVEX10PF1 WSMAN/SRVEX10PF1 WSMAN/SRVEX10PF1.subdomain.domain.local TERMSRV/SRVEX10PF1.subdomain.domain.local TERMSRV/SRVEX10PF1 RestrictedKrbHost/SRVEX10PF1 HOST/SRVEX10PF1 RestrictedKrbHost/SRVEX10PF1.subdomain.domain.local HOST/SRVEX10PF1.subdomain.domain.local
Result for DAG
CN=EX10DAG,OU=Exchange,OU=Servers,DC=subdomain,DC=domain,DC=local MSServerCluster/EX10DAG.subdomain.domain.local MSServerCluster/EX10DAG MSServerClusterMgmtAPI/EX10DAG.subdomain.domain.local MSServerClusterMgmtAPI/EX10DAG MSClusterVirtualServer/EX10DAG.subdomain.domain.local MSClusterVirtualServer/EX10DAG HOST/EX10DAG.subdomain.domain.local HOST/EX10DAG
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
