SetSPN improvements in Windows Server 2008! W00t!

Update: Most recent SetSPN ramblings (short: use -S instead of -A).

All this stuff is based on a prerelease (RC1) version of Windows Server 2008 and may change before final release. Cheques may not be honoured.

I had a happy moment one night in India when the trainer for our IIS 7.0 TTT course discussed some of the Kerberos-related improvements in IIS7.

SetSPN got revamped! And it’s available from the Download Centre for Windows Server 2003 .

We all know (or knew, before my wiki collapsed) that duplicate Kerberos SPNs are bad. (The Wiki is still down, by the way, sorry).

We know that it’s been a little bit iffy configuring said SPNs and that the chance of getting it wrong was quite high – there was no control that prevented the registration of the same SPN twice, against different accounts.

Worse: SetSPN was focused on the account (security principal) only – if you thought you had a duplicate, you needed to use a customized LDIFDE command to track it down based on the SPN, as SetSPN wouldn’t search by SPN, only by account.

Buuut: Some wonderful SDE that should really be on my Christmas card list decided that SetSPN could become an all-singing all-dancing SPN troubleshooting tool!

Yes folks, SetSPN now has SANITY CHECK (-S) switches and FIND THE PROBLEM (-X) switches! HOW COOL IS THAT!?

In order to not break backwards compatibility (I infer; I didn’t actually participate in the conversation or decision making process), these are implemented as new switches, not old ones: Existing scripts that rely on creating duplicates (and then presumably resolving that situation shortly afterwards) won’t (er, shouldn’t) suddenly break.

C:\Users\Administrator>setspn
Usage: setspn [modifiers switches data] computername
Where ‘computername’ can be the name or domain\name

Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)

Switches:
-R = reset HOST ServicePrincipalName
Usage:   setspn -R computername
-A = add arbitrary SPN
Usage:   setspn -A SPN computername
-S = add arbitrary SPN after verifying no duplicates exist
Usage:   setspn -S SPN computername
-D = delete arbitrary SPN
Usage:   setspn -D SPN computername
-L = list registered SPNs
Usage:   setspn [-L] computername
-Q = query for existence of SPN
Usage:   setspn -Q SPN
-X = search for duplicate SPNs
Usage:   setspn -X

Examples:
setspn -R daserver1
It will register SPN ‘HOST/daserver1’ and ‘HOST/{DNS of daserver1}’
setspn -A http/daserver daserver1
It will register SPN ‘http/daserver’ for computer ‘daserver1’
setspn -D http/daserver daserver1
It will delete SPN ‘http/daserver’ for computer ‘daserver1’
setspn -F -S http/daserver daserver1
It will register SPN ‘http/daserver’ for computer ‘daserver1’ if no such SPN exists in the forest

So, any instructions out there that currently use the positively archaic SETSPN -A can now be updated to use the shiny new SETSPN -S.

Again, I ask you: How cool is that!?

I should add that I haven’t actually tried this yet, just gurgled at the wonderful new options and imagined their effect. If it throws a “NotYetImplementedException”, please forgive my enthusiasm 🙂

Anthology Of Interest

Okay, so there’s no interest here, but perhaps an anthology anyway.


Yes I’ve been gone a while; another computer packed it in (this time without my own personal brand of assistance), I’ve been off to India (usually 5.5 hrs difference from Sydney, but we worked the night shift – 10pm to 4:30am in theory, we made it to 3 one night and faded otherwise – for a few days there before rotating back into pseudo-reasonableness of 1pm to 10pm IST, and have been jetlagged for the two weeks since returning… I know, a tough life).


Anyway, quick mentions:


Touch Ain’t Just For Tablets


Mary Jo seems to think Touch is for Tablets only… Not quite. Perhaps Microsoft agrees, but why is Touch considered a Tablet feature only? It’s brilliant anywhere, if you can get it.


Is it really that expensive to add to a regular laptop? Shouldn’t it be a standard feature?


After having the p1610 for a year now (they grow up so fast!), I’m thinking that the tablet form-factor novely has utterly worn off (it only ever gets converted by eager demo-seekers, I use it in clamshell style only).


So, upgrading and replacing it might be on the cards sometime – an ultralight, say a 10.4″ to 12.1″ wide screen would be fine. Small keyboard is fine, I’ve adapted perfectly to the 1610’s 3/4 size keys. Give me long battery life and light weight, and I’m happy, mostly.


But, mandatorily, any future laptop I buy must have a touch screen.


I don’t care if it’s landscapo-portraito-tableto-converto-capable, or if it does handwriting recognition (I have issues recognizing my handwriting; how’s a computer ever going to get it?), or any of the other (actually very cool) Tablet-ty features; it just needs that if-you-push-a-spot-on-the-screen-something-happens capability.


I made my last purchase decision based on the device being one of the few that had a touch interface (as opposed to a Special Pen interface, which not only makes the pen sound challenged, it’s a challenge to fish the pen out and cause of repeated heart-stopping “I forgot the pen at the client site!” moments, before you discover it’s in your other pocket, or caught up in your belt, or whatever) and it was, in retrospect, a winner.


Both long-time readers will know that I don’t put a lot of faith in my gut feelings (without lots of testing), but this one panned out brilliantly.


Jabbing at the screen with one finger is brilliant.


As an LCD purist that actually puts a “THIS IS A FLAT SCREEN NOT A TOUCH SCREEN – FINGERS MAY BE LOST” label on his precious (fingerprintless) LCD monitors, I can honestly say I’d convert every single one to a resistive touch screen covered in finger goop, if it got me proddability. It’s the very definition of intuitive. You see a button, and you push it, physically, no mouse-hand-translation, no infinite widths or screen edges required.


Your finger is the original pointing device. (Er, arguably. Let’s not go there.)


If every laptop came with a touch screen (not an active digitizer, remember), just imagine how much less frustrating plane trips could be? Instead of scratching like a chicken at the pad, or nudging nervously at the “pointing stick”, you’d poke your way through dialogs and drag your scrollbars down directly.


Happy sigh. So as you can probably guess, I’m very interested in any laptop sporting a touch screen (active digitizer too for bonus marks, sure, but it’s primarily about the convenience – having 1024 pressure levels is a secondary concern to me, most of the time). But I want my fingertip (or pen, or ice cream stick, or knuckle, or tightly-coiled tissue) interface first.


Laptop makers: you know it makes sense! Make it so!


You Know It Shipped When…


Visual Studio 2008 shipped a while back now (er, belated yay!) and installs with the .Net Framework 3.5, which includes 2.0 SP1 and 3.0 SP1, in case you didn’t know.


So: installing 3.5 doesn’t just do a bolt-on installation, it does actually upgrade the core 2.0 and 3.0 binaries. The SP releases are available individually too.


 


Have a great holiday season!