Where do I run the setspn command?

Question

I am trying to add a Service Principal Name with the below command, which I am using for Windows Authentication.

setspn –a HTTP/Kerberos.com domain\username

I have a site running on IIS Server which is running on windows 2008 server connected to Domain Controller machine.

Do I have to run the setspn command on the IIS server or on the Domain Controller?

Answer 1

You can run it on either machine as long as the login is privileged. The only difference is the amount of time it takes to propagate through the network.

Domain Controller Machine - will help propagate through the network faster but than it means that IIS server machine might not recognize the change right away. Hence, you might have to wait for ~30 mins before restarting the server after making changes to SPN.

-- PREFERRED -- IIS Server Machine - changing the SPN here will allow you to continue working with the services. Will take ~30 mins for rest of the network to realize the change, which usually isn't an issue.