SPN records check (Service Principal Name) – Exchange 2010 / Exchange 2013

There is a lots of articles about enabling Kerberos authentication for Exchange 2010 CAS servers, but not much about what SPN (Service Principal Names) list. It is kind of easy to determine list of SPNs for particular servers. SPN records are similar in Exchange 2010 and Exchange 2013. Here is the procedure

  • Open command line or Powershell under elevated permissions
  • Type the following command
setspn -Q */*EX10* >> d:spn_records.txt 


  • setspn.exe – name of utility, which can set SPN records or list their status
  • -Q -switch to query mode (listing existing SPN records)
  • */ wildcard of SPN name
  • /*EX10* -names of the servers with wildcards
  • >> d:spn_records.txt – direct output to file with append feature


Result for Exchange CAS/HUB


Result for Exchange UM server


Result for Exchange PF/Mailbox server


Result for DAG


CAS Array – Right Understanding

Thank you Brian Day for some common misunderstood issues (more links below) and the summary is here:

  • CAS array object does not load balance the traffic (but it is used for it)
  • CAS array object should be configured even if you only have one CAS or a single multi-role server
  • CAS array object should not be configured or changed after creating Exchange Server 2010 mailbox databases and moving mailboxes into the databases
  • CAS array object Name is only formal name (arbitrary value)
  • CAS array object does not service OWA, ECP, EWS, Autodiscover, IMAP, SMTP, or POP
  • CAS array object FQDN should not be the same FQDN used for other services such as OWA, ECP, EWS, EAS, Autodiscover, or the Outlook Anywhere
  • CAS array object should not be resolvable via DNS by external clients
  • CAS array object does not need to be part of the SSL certificate