Author | Drew Furgiuele (@pittfurg), port1433.com |
Availability | Windows, Linux, macOS |
Want to see the source code for this command? Check out Get-DbaSpn on GitHub.
Want to see the Bill Of Health for this command? Check out Get-DbaSpn.
Retrieves existing Service Principal Names (SPNs) from Active Directory for SQL Server services
Queries Active Directory to return SPNs that are currently registered for SQL Server services on specified computers or service accounts. This is essential for troubleshooting Kerberos authentication issues, as missing or duplicate SPNs prevent clients from authenticating to SQL Server using integrated security. Use this command to audit your current SPN configuration before making changes with Set-DbaSpn or when investigating authentication failures. The function returns detailed information including the service class (MSSQLSvc), port numbers, and associated Active Directory accounts.
Get-DbaSpn
[[-ComputerName] <String[]>]
[[-AccountName] <String[]>]
[[-Credential] <PSCredential>]
[-EnableException]
[<CommonParameters>]
PS C:\> Get-DbaSpn -ComputerName SQLSERVERA -Credential ad\sqldba
Returns a custom object with SearchTerm (ServerName) and the SPNs that were found
PS C:\> Get-DbaSpn -AccountName domain\account -Credential ad\sqldba
Returns a custom object with SearchTerm (domain account) and the SPNs that were found
PS C:\> Get-DbaSpn -ComputerName SQLSERVERA,SQLSERVERB -Credential ad\sqldba
Returns a custom object with SearchTerm (ServerName) and the SPNs that were found for multiple computers
Specifies the SQL Server computer names to retrieve registered SPNs for. Defaults to localhost if not specified.
Use this when you need to audit SPN configuration on specific servers or when troubleshooting Kerberos authentication issues across multiple SQL instances.
Alias | |
Required | False |
Pipeline | true (ByValue) |
Default Value |
Specifies the Active Directory service accounts to search for registered SQL Server SPNs. Accepts both user accounts and computer accounts ending with '$'.
Use this when you need to audit which SPNs are registered under specific service accounts or when investigating authentication issues related to particular accounts.
Alias | |
Required | False |
Pipeline | false |
Default Value |
User credential to connect to the remote servers or active directory.
Alias | |
Required | False |
Pipeline | false |
Default Value |
By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
Alias | |
Required | False |
Pipeline | false |
Default Value | False |