1

I have a Windows 2008 R2 domain controller with more than 60 user accounts. Each time one of these users tries to connect to the DC authentication "falls back" to NTLM. Kerberos authentication fails because the users' SPNs are missing.

I would like to set this attribute for all the user accounts. Do I have to manually set manually the SPN attribute for each user? Or is there a better solution?

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Stef
  • 572
  • 1
  • 6
  • 16
  • 1
    Can you use PowerShell? Have you available the Microsoft [Active Directory PowerShell module](http://technet.microsoft.com/en-us/library/ee617195.aspx)? – jscott Oct 12 '14 at 10:51
  • 1
    @Stef: Normal user accounts rarely need an SPN. Service Principal Names are typically assigned to service accounts for authentication with applications such as IIS, so that impersonation and delegation can work correctly. – Greg Askew Oct 12 '14 at 14:50
  • Ok, but I noticed that if I do not set the SPN for an user, this one will stay on NTLM authentication each time he will be going to connect to the DC (and in that case I cannot do delegation) – Stef Oct 12 '14 at 15:40

0 Answers0