Validating Service Principal Name Entries Using PowerShell

In this blog post, I’ll be going over how to use a function I wrote earlier this year to help you validate the Service Principal Names in your environment.

The function in question is Validate-ComputerSPN which is located in libActiveDirectory.psm1 in the GEM Automation CodePlex project.

Here’s a brief overview of the capabilities of the function at this point in time:

  • Enumerates services that are using an Active Directory account
  • If the account is used for a SQL Server instance:
    • Checks if there are alternative names (CNAME) for the instance based on DNS records
    • Checks if there are alternatives names coming from failover clustering or Availability Groups
    • For each of those alternative names, validates if the required SPN is present in the Active Directory
  • If IIS is installed on the computer:
    • Enumerate all sites, applications and application pools
      • The function will capture host headers and ports used by the sites
    • For each combination of application/host header/port, validates if the required SPN is present in the Active Directory
  • In all of the cases above, the following information is captured and can be exported in a CSV as shown in the example below.
    • Name of the computer
    • Name of the service (MSSQLSERVER or the name of the IIS web site)
    • The Active Directory service account
    • The DNS entry used by the service
    • The SPN entry that was found
    • The SPN entry that was expected

Here’s an example of how you would call this function:

$computers=@("SERVER01", "SERVER01")
$computers | Validate-ComputerSPN -dnsServerName "DNS01" -domainName "" -serviceAccountSearchBase "OU=Service Accounts,OU=Generic Accounts,dc=contoso,dc=com" | Export-Csv -NoTypeInformation -Delimiter "^" -Path ComputerSPNValidationReport.csv -Force 

The generated CSV will have the following information:

  • Computer Name
  • Service Name
  • Service Account Name
  • DNS Entry
  • SPN Found
  • SPN Expected

For instance, you can use an Excel PivotTable to show you information in a similar way:

      • CONTOSO\dbs_001_svc
        • MSSQLSvc/SERVERNAME:1433
        • MSSQLSvc/production-databases:1433
        • MSSQLSvc/

I’ve also used a formula in the Excel spreadsheet to generate the required setspn command to run in case a missing SPN was found. This is accomplished by simply concatenating the various field with the proper setspn.exe switches. For instance:

  • =CONCATENATE(“setspn -A “,F2,” “,C2)
  • Where F2 is the Expected SPN and C2 the Service Account Name

Should you have any questions or comments about this, feel free to let me know!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s