8

According to Setspn Overview it's discouraged to use Setspn -A to add an SPN record and it's suggested to use Setspn -S instead.

It's said that Setspn -S checks whether the SPN already exists before adding a new one. Setspn –A does not perform this check.

Although you can use Setspn -A to add an SPN, you should use Setspn -S instead because -S will verify that there are no duplicate SPNs.

However on Windows Server 2012 I see that Setspn -S and Setspn -A behave the same way: if an SPN record for an account exists then I get a failure both with -A and -S arguments.

Is there any real difference between Setspn -S and Setspn -A?

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
bahrep
  • 664
  • 1
  • 9
  • 27

1 Answers1

13

Not any more. You sort of answered your own question. It has obviously been decided that there's no need for the original -A functionality of not checking for duplicates any more... but you can't just go willy-nilly ripping the -A out, because someone's script somewhere that was using -A would break.

Adding some official documentation to back up my claim:

http://technet.microsoft.com/en-us/library/hh831747.aspx

Changes to SetSPN

In Windows Server 2012, SetSPN will no longer be able to register duplicate SPNs in a domain. When SetSPN –a is used, SetSPN will treat it as SetSPN –s.

For eveloping information about SetSPN, see Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe) on the TechNet Wiki. For the command reference, see Setspn in the TechNet Library.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197