I hope you are aware of a concept of Service Accounts. It’s a special account which is used to run a service in one or multiple servers. Unlike other accounts in Active Directory, the password of service account never expires. To understand Service Principal Name in one line, SPN is the unique (in entire Forest) identity for a Service, mapped with a specific service account in a server. If you are aware of a concept of CNAME, SPN is more or less similar to that. Means using SPN we can create multiple alias for service, mapped with a service account.
Now the question comes, why we need SPN? With the help of SPN, services running in different servers in a domain can communicate to each other. Let’s assume we are using ACCOUNT-1 in SERVER-1 to run SQL Service and same ACCOUNT-1 in SERVER-2 to run IIS Server. With the help of SPN we can use a common way to map ACCOUNT-1 to all the servers and services it’s getting used.
Every object we create in Active Directory has an attribute called “servicePrincipalName” where all the SPNs are getting registered for that object.
There are mainly 4 parts in SPN out of which 3 are mandetory and one is optional:
- Service Name: Name of the service instance running on the server. Let’s assume the service we are using for Web Service and service instance name is “HTTP”.
- Hostname: Server name on which service is running. Let’s assume the server’s hostname is “DC-01” which is my domain controller.
- Account: Service account you want to map the service with. Let’s assume the account name is “[email protected]” or “devopsage\zz_test”.
- Port (Optional): This is optional. If the service is running on a default port, you can leave it. In this case, since service HTTP is already working on port 80, we don’t need to mention it.
To assign, list or delete the SPN, we use an in-built command line tool “SETSPN.exe” provided by Microsoft. Use this tool as below:
To set/add the SPN, generally we run two commands. One with hostname and one with FQDN:
setspn -S HTTP/dc-01.devopsage.local devopsage\zz_test
setspn -S HTTP/dc-01 devopsage\zz_test
Note 1: You can also use “-A” switch to add SPN but the advantage of “-S” switch is that it will first check if there is any similar SPN is already registered.
Note 2: In setspn command, switches are NOT case sensitive.
To list the SPN for that account you can run two commands, both will give the same value you have setup earlier:
setspn -L devopsage\zz_test
setspn -L zz_test
To delete the SPN, again you have to run two commands for hostname and FQDN:
setspn -D HTTP/dc-01.devopsage.local devopsage\zz_test
setspn -D HTTP/dc-01 devopsage\zz_test

Finally, you can verify whether SPN has deleted or not by list command:
setspn -L devopsage\zz_test
setspn -L zz_test

You are done here. Hope it will help you. Cheers!