To date, I’ve written a series of blog posts that describe how to use the “Input” section of the “Kerberos SPN Generation / Setup Tool”. This is a continuation of the series of blog posts “Kerberos SPN Generation / Setup Tool” that describe how to use the Kerberos SPN Generation Setup Tool Beta for Kerberos Constrained Delegation with Integrated Windows Authentication for Microsoft BI tools. The next short series of posts will discuss the “Generate SPNs” process. You can download the Kerberos SPN Generation Setup Tool Beta at FUTURESULTS, LLC.
Main Menu / Navigation – SPN Generation Section
You made it through all of the details on how to enter data into each of the input tabs. This section’s example will consist of only the “PAS Tab” example given previously. In other words, pretend that we have only entered information into the “Common Tab” and the “PAS Tab”. While this example is for a ProClarity setup, it works the same with all input tabs that are complete.
For review purposes, the “PAS Tab” entries look like this:
Now that we have completed the input section, go back to the “Main Menu / Navigation” tab and select the “Generate SPNs” link. You must be connected to the domain prior to selecting the “Generate SPNs” link. If there are any errors when we select “Generate SPNs”, you will be notified either by pop up messages, messages in the “Messages” section, or non-green “traffic light” symbols by the appropriate input sections. You must clear all errors prior to generating SPNs.
When the “Generate SPNs” traffic light is green, you have successfully generated SPNs. The tool interrogates your domain (that is why you must be connected to your domain) and creates the proper SPNs. It is that easy!
The next step is to review the SPN Output via the “SPNOutput” tab. Notice in this case that there are SPNs Suggested to Add (column E). Your implementation may have more or less SPNs to add based on information that is already in your domain. In this case, the SPNs associated with “sql_analysis” already resided in the domain so there was no need to add SPNs for this domain account.
“SPNOutput” Tab Example.
If we look at the “Delegation” tab, notice that the delegation needed does not exist (cell D8). More on Delegation in the future.
Delegation Tab Example.
Export SPNs to Add
Since there were SPNs to add listed in the “SPNOutput” tab, we need to Export SPNs. Go back to the “Main Menu / Navigation” tab and select the “Export SPNs to Add” link. This link creates a file with the commands needed to add the appropriate SPNs. You must be a Domain Administrator to run the batch file on the Domain Controller.
The file was purposely created with a .txt extension. Many times this file must be emailed to another person with Domain Administrator rights on the domain controller. Email systems normally block files with .bat extensions (that’s why the file is saved as a .txt). Once you copy the file to the domain controller, change it to a .bat extension. In this example, we would rename the file to “SPNs2ADDInput.bat”.
Export SPNs to Add Example (-L means List, -A means Add).
When the file is on the domain controller you can run it and redirect the output to a file if you like. For example you would run this file and redirect it’s output as follows:
SPNs2AddInput.bat > SPNs2AddOutput.txt
The output file contains listings of what the service accounts looked like before adding the new SPNs as well as after the SPNs are added. In addition, ensure that each SPN was successfully added by searching the output file for “Updated object” after each add SPN command. If there was any kind of error or you mistakenly typed in the wrong service account, etc. use the “Export SPNS to Remove (Undo)” commands in the next section.
Example SPNs to Add Batch File Results.
Export SPNs to Remove (Undo)
Hopefully, this section should be self-explanatory. Basically it works exactly like the “Export SPNs to Add” section above except it removes SPNs instead of adding SPNs. The process is similar and should always be done in conjunction with the “Export SPNs to Add” process. In other words, you should always select this link immediately after saving the “Export SPNs to Add” link. In this way, you can assure that the Remove file contains the same information as the Add file. If anything goes wrong with the “Export SPNs to Add” process, you can remove whatever was done in the “Add” batch file.
Use this process to clean up mistakes (if an error exists). The general steps are:
- Go to the Main Menu / Navigation Tab
- Select the “Export SPNs to Remove (Undo)” link (immediately after selecting the “Export SPNs to Add” link)
- Copy the file to the Domain Controller
- Rename the file to “SPNs2RemoveInput.bat”
Run command (ONLY IF NEEDED) SPNs2RemoveInput.bat > SPNs2RemoveOutput.txt
DO NOT RUN THIS FILE AFTER SUBSEQUENT CHANGES TO YOUR DOMAIN CONTROLLER HAVE BEEN MADE. In other words, this command will remove the SPNs that were added only if subsequent changes have not been made. If you made additional SPN changes, it could remove a SPN that is now used for another purpose. The “Remove” process is no longer relevant once other SPN changes are made to the domain. If you have any question about other changes, do not use this batch file and seek help from a knowledgeable source to remove SPNs manually.
Export SPNs to Add Example (-L means List, -D means Delete).
Example SPNs to Remove (Undo) Batch File Results.
Review SPN Information
Now that we have completed adding SPNs to your domain, go back to the “Main Menu / Navigation” tab and again select the “Generate SPNs” link. The tool interrogates your domain and creates additional SPN suggestions if needed. In this case, it should find that you have added the appropriate SPNs and nothing additionally needs to be created. You can validate this by reviewing the “SPNs to Add” section (column E) via the “SPNOutput” tab.
You can review the SPNs in your domain for each account that is entered into the spreadsheet (columns A & B). Just as an FYI, some of the SPNs were generated automatically (in this case HOST and TERMSRV). Other SPNs were entered manually via the SPN tool.
SPNOutput Tab – Review output information. Notice there are no SPNs to Add.
Other SPN Generation Tips and Tricks
Domain Controller Replication
Many domains use replication between domain controllers. This replication may take several minutes to occur. If you add a new SPN, you may need to wait several minutes to rerun the spreadsheet process in order to do the SPN review process.
The point of this tool is to help you generate SPNs correctly based on parameters that can be gathered by administrators. The process outlined in these blog posts allows you to have good documentation, reduce issues (like duplicate SPNs), and have a tool to check and troubleshoot your configuration later in case additional changes were made to your domain (other product setups).
Export SPNs to Remove (Undo)
Do not try to generate the “Undo” file at a later date if any domain changes were made. In other words, do not use the tool to add SPNs and then later select the “Generate SPNs” link in the tool and then try to create the “Undo” file. The only way that the “Undo” file works is if it is generated at the same time as the “Add” file and no subsequent changes are made to SPNs in the domain.
What additional features would you like to see in a Kerberos SPN setup tool? Leave your suggestions below.