commands

^

Get-DbaSpn

Author Drew Furgiuele (@pittfurg), port1433.com
Availability Windows, Linux, macOS

 

Want to see the source code for this command? Check out Get-DbaSpn on GitHub.
Want to see the Bill Of Health for this command? Check out Get-DbaSpn.

Synopsis

Retrieves existing Service Principal Names (SPNs) from Active Directory for SQL Server services

Description

Queries Active Directory to return SPNs that are currently registered for SQL Server services on specified computers or service accounts. This is essential for troubleshooting Kerberos authentication issues, as missing or duplicate SPNs prevent clients from authenticating to SQL Server using integrated security. Use this command to audit your current SPN configuration before making changes with Set-DbaSpn or when investigating authentication failures. The function returns detailed information including the service class (MSSQLSvc), port numbers, and associated Active Directory accounts.

Syntax

Get-DbaSpn
    [[-ComputerName] <String[]>]
    [[-AccountName] <String[]>]
    [[-Credential] <PSCredential>]
    [-EnableException]
    [<CommonParameters>]

 

Examples

 

Example: 1
PS C:\> Get-DbaSpn -ComputerName SQLSERVERA -Credential ad\sqldba

Returns a custom object with SearchTerm (ServerName) and the SPNs that were found

Example: 2
PS C:\> Get-DbaSpn -AccountName domain\account -Credential ad\sqldba

Returns a custom object with SearchTerm (domain account) and the SPNs that were found

Example: 3
PS C:\> Get-DbaSpn -ComputerName SQLSERVERA,SQLSERVERB -Credential ad\sqldba

Returns a custom object with SearchTerm (ServerName) and the SPNs that were found for multiple computers

Optional Parameters

-ComputerName

Specifies the SQL Server computer names to retrieve registered SPNs for. Defaults to localhost if not specified.
Use this when you need to audit SPN configuration on specific servers or when troubleshooting Kerberos authentication issues across multiple SQL instances.

Alias
Required False
Pipeline true (ByValue)
Default Value
-AccountName

Specifies the Active Directory service accounts to search for registered SQL Server SPNs. Accepts both user accounts and computer accounts ending with '$'.
Use this when you need to audit which SPNs are registered under specific service accounts or when investigating authentication issues related to particular accounts.

Alias
Required False
Pipeline false
Default Value
-Credential

User credential to connect to the remote servers or active directory.

Alias
Required False
Pipeline false
Default Value
-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.

Alias
Required False
Pipeline false
Default Value False