SPN records check (Service Principal Name) – Exchange 2010 / Exchange 2013

There is a lots of articles about enabling Kerberos authentication for Exchange 2010 CAS servers, but not much about what SPN (Service Principal Names) list. It is kind of easy to determine list of SPNs for particular servers. SPN records are similar in Exchange 2010 and Exchange 2013. Here is the procedure

  • Open command line or Powershell under elevated permissions
  • Type the following command
setspn -Q */*EX10* >> d:spn_records.txt 

Explanation

  • setspn.exe – name of utility, which can set SPN records or list their status
  • -Q -switch to query mode (listing existing SPN records)
  • */ wildcard of SPN name
  • /*EX10* -names of the servers with wildcards
  • >> d:spn_records.txt – direct output to file with append feature

Results

Result for Exchange CAS/HUB

CN=SRVEX10CH1,OU=Exchange,OU=Servers,DC=subdomain,DC=domain,DC=local
 POP3/SRVEX10CH1.subdomain.domain.local
 POP3/SRVEX10CH1
 POP/SRVEX10CH1.subdomain.domain.local
 POP/SRVEX10CH1
 IMAP4/SRVEX10CH1.subdomain.domain.local
 IMAP4/SRVEX10CH1
 IMAP/SRVEX10CH1.subdomain.domain.local
 IMAP/SRVEX10CH1
 SMTP/SRVEX10CH1
 SMTP/SRVEX10CH1.subdomain.domain.local
 SmtpSvc/SRVEX10CH1
 SmtpSvc/SRVEX10CH1.subdomain.domain.local
 exchangeRFR/SRVEX10CH1
 exchangeRFR/SRVEX10CH1.subdomain.domain.local
 exchangeAB/SRVEX10CH1
 exchangeAB/SRVEX10CH1.subdomain.domain.local
 ExchangeMDB/SRVEX10CH1
 ExchangeMDB/SRVEX10CH1.subdomain.domain.local
 WSMAN/SRVEX10CH1
 WSMAN/SRVEX10CH1.subdomain.domain.local
 TERMSRV/SRVEX10CH1.subdomain.domain.local
 TERMSRV/SRVEX10CH1
 RestrictedKrbHost/SRVEX10CH1
 HOST/SRVEX10CH1
 RestrictedKrbHost/SRVEX10CH1.subdomain.domain.local
 HOST/SRVEX10CH1.subdomain.domain.local

Result for Exchange UM server

CN=SRVEX10UM1,OU=Exchange,OU=Servers,DC=subdomain,DC=domain,DC=local
 SmtpSvc/SRVEX10UM1.subdomain.domain.local
 SmtpSvc/SRVEX10UM1
 WSMAN/SRVEX10UM1
 WSMAN/SRVEX10UM1.subdomain.domain.local
 TERMSRV/SRVEX10UM1
 TERMSRV/SRVEX10UM1.subdomain.domain.local
 RestrictedKrbHost/SRVEX10UM1
 HOST/SRVEX10UM1
 RestrictedKrbHost/SRVEX10UM1.subdomain.domain.local
 HOST/SRVEX10UM1.subdomain.domain.local

Result for Exchange PF/Mailbox server

CN=SRVEX10PF1,OU=Exchange,OU=Servers,DC=subdomain,DC=domain,DC=local
 MSSRVrverClusterMgmtAPI/SRVEX10PF1
 MSSRVrverClusterMgmtAPI/SRVEX10PF1.subdomain.domain.local
 SMTP/SRVEX10PF1
 SMTP/SRVEX10PF1.subdomain.domain.local
 SMTPSVC/SRVEX10PF1
 SMTPSVC/SRVEX10PF1.subdomain.domain.local
 exchangeMDB/SRVEX10PF1.subdomain.domain.local
 exchangeMDB/SRVEX10PF1
 WSMAN/SRVEX10PF1
 WSMAN/SRVEX10PF1.subdomain.domain.local
 TERMSRV/SRVEX10PF1.subdomain.domain.local
 TERMSRV/SRVEX10PF1
 RestrictedKrbHost/SRVEX10PF1
 HOST/SRVEX10PF1
 RestrictedKrbHost/SRVEX10PF1.subdomain.domain.local
 HOST/SRVEX10PF1.subdomain.domain.local

Result for DAG

CN=EX10DAG,OU=Exchange,OU=Servers,DC=subdomain,DC=domain,DC=local
 MSServerCluster/EX10DAG.subdomain.domain.local
 MSServerCluster/EX10DAG
 MSServerClusterMgmtAPI/EX10DAG.subdomain.domain.local
 MSServerClusterMgmtAPI/EX10DAG
 MSClusterVirtualServer/EX10DAG.subdomain.domain.local
 MSClusterVirtualServer/EX10DAG
 HOST/EX10DAG.subdomain.domain.local
 HOST/EX10DAG

CAS Array – Right Understanding

Thank you Brian Day for some common misunderstood issues (more links below) and the summary is here:

  • CAS array object does not load balance the traffic (but it is used for it)
  • CAS array object should be configured even if you only have one CAS or a single multi-role server
  • CAS array object should not be configured or changed after creating Exchange Server 2010 mailbox databases and moving mailboxes into the databases
  • CAS array object Name is only formal name (arbitrary value)
  • CAS array object does not service OWA, ECP, EWS, Autodiscover, IMAP, SMTP, or POP
  • CAS array object FQDN should not be the same FQDN used for other services such as OWA, ECP, EWS, EAS, Autodiscover, or the Outlook Anywhere
  • CAS array object should not be resolvable via DNS by external clients
  • CAS array object does not need to be part of the SSL certificate