AD FS 2.0: How to Configure the SPN (servicePrincipalName) for the Service Account

Summary

When you deploy an AD FS 2.0 Federation Server farm you must specify a domain-based service account, and the AD FS 2.0 service account needs to have a SPN (servicePrincipalName) registered to allow Kerberos to function for the Federation Service.

When you initially configure the AD FS 2.0 farm, the configuration wizard will attempt to set the SPN for you as long as the account running the configuration wizard has Write access to the servicePrincipalName attribute on the service account in Active Directory.

Reasons you may need to manually set the SPN on the AD FS 2.0 service account:

• SPN registration failed during initial configuration of the farm
• The Federation Service name has changed
• The service account has changed

The SPN to register is in the following format:

HOST/{your_Federation_Service_name}

You can register the SPN using setspn.exe, ADSIEDIT, or any utility capable of writing Active Directory LDAP attributes.

Syntax for SetSPN.exe:

setspn -a host/{your_Federation_Service_name} {domain_name}\service_account}

In Windows Server 2008 and later, the SetSPN.exe utility provides a way to ensure that you are not duplicating SPN's in the forest:

setspn -x

or

setspn -s host/{your_Federation_Service_name} {domain_name}\service_account}

More Information

As an Active Directory admin, you may ask: "Why do we need the HOST SPN instead of the HTTP SPN?"

Answer:

AD FS 2.0 utilizes the HOST service type for SPN registration because of default Windows Communication Foundation (WCF) SPN requirements. While HTTP makes sense for web-based applications, it does not satisfy rich clients who use the WS-Trust protocol.

What's my Federation Service Name?

Answer:

From the ADFS Management console, select Edit Federation Service Properties. The Federation Service name is listed in the middle textbox.