The Microsoft Infrastructure provides self-service capabilities to assign your own service principal name values (SPNs) to NETID computers, some NETID user accounts, and group managed service accounts.
For computers, delegated OU admins and joiners can set SPNs.
For users, if the user is an application UW NetID, then the account itself can set its own SPNs. No other user accounts have been delegated this self-service capability. If you need a SPN set on another user account, send in a request to help@uw.edu.
For group managed service accounts, delegated OU admins can set SPNs. See /tools-services-support/it-systems-infrastructure/msinf/ous/guide/gmsa/ for more details.
More Details
Service Principal Name values are stored in an Active Directory object’s servicePrincipalName attribute. The values include three pieces of information:
- service
- hostname
- port
An example SPN value is:
HTTP/www.contoso.com:8080
You can use the SetSPN tool (setspn.exe) to add and remove SPNs. Or you can use any LDAP tool (e.g. ldp.exe or ADSIEdit).
To set a SPN, you first need to be logged in with the user account that has the privilege. For computers and group managed Service accounts, the user that has the privilege to make the change is a delegated OU admin account. For application UW NetIDs, the user that has the privilege to make the change is the application UW NetID itself. You can then make the change.
Microsoft’s SetSPN documentation can be found at:
http://technet.microsoft.com/en-us/library/cc773257(v=WS.10).aspx