1

I have a Windows 2008 R2 domain controller with more than 60 user accounts. Each time one of these users tries to connect to the DC authentication "falls back" to NTLM. Kerberos authentication fails because the users' SPNs are missing.

I would like to set this attribute for all the user accounts. Do I have to manually set manually the SPN attribute for each user? Or is there a better solution?

3
  • 1
    Can you use PowerShell? Have you available the Microsoft Active Directory PowerShell module?
    – jscott
    Commented Oct 12, 2014 at 10:51
  • 1
    @Stef: Normal user accounts rarely need an SPN. Service Principal Names are typically assigned to service accounts for authentication with applications such as IIS, so that impersonation and delegation can work correctly.
    – Greg Askew
    Commented Oct 12, 2014 at 14:50
  • Ok, but I noticed that if I do not set the SPN for an user, this one will stay on NTLM authentication each time he will be going to connect to the DC (and in that case I cannot do delegation)
    – Stef
    Commented Oct 12, 2014 at 15:40

0

You must log in to answer this question.

Browse other questions tagged .