List Forest SPN Mappings

I was helping a customer setup Kerberos delegation the other day. After all these years, the specifics of this topic still seems to create uncertainty.

Eventually, the conversation turned to the SPN-Mappings attribute. This little beauty can be found on the Directory Services NTDSService object in the configuration partition. It allows the "host/..." SPN of a computer to represent any service running on that computer, i.e. if the SPN for a particular service is missing, the "host/..." SPN acts as a substitute.

For example, "http/HALOMEM01" is missing. The SPN-Mappings attribute has an entry for "http". Consequently, "host/HALOMEM01" can be used to find the "http" service.

We then used PowerShell to dump out the contents of SPN-Mappings.


(Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=HALO,DC=NET" -properties sPNMappings).sPNMappings -split "," | Sort-Object




I've always wondered about oakley... answers on a postcard!


Comments (2)
  1. Useful information. I would clean this up a little but to remove the host=alerter entry. Try this…

    (Get-ADObject -Identity “CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com” -properties sPNMappings).sPNMappings.Split(“=”)[1].Split(“,”)

    1. little bit, not “little but”… typo. sorry.

Comments are closed.

Skip to main content