AD FS 2.0: How to Configure the SPN (servicePrincipalName) for the Service Account

AD FS 2.0: How to Configure the SPN (servicePrincipalName) for the Service Account


When you deploy an AD FS 2.0 Federation Server farm you must specify a domain-based service account, and the AD FS 2.0 service account needs to have a SPN (servicePrincipalName) registered to allow Kerberos to function for the Federation Service.

When you initially configure the AD FS 2.0 farm, the configuration wizard will attempt to set the SPN for you as long as the account running the configuration wizard has Write access to the servicePrincipalName attribute on the service account in Active Directory.


Reasons you may need to manually set the SPN on the AD FS 2.0 service account:

  • SPN registration failed during initial configuration of the farm
  • The Federation Service name has changed
  • The service account has changed


The SPN to register is in the following format:



You can register the SPN using setspn.exe, ADSIEDIT, or any utility capable of writing Active Directory LDAP attributes.


Syntax for SetSPN.exe:

setspn -a host/{your_Federation_Service_name} {domain_name}\{service_account}


In Windows Server 2008 and later, the SetSPN.exe utility provides a way to ensure that you are not duplicating SPN's in the forest:

setspn -x


setspn -s host/{your_Federation_Service_name} {domain_name}\{service_account}


More Information

As an Active Directory admin, you may ask: "Why do we need the HOST SPN instead of the HTTP SPN?"


AD FS 2.0 utilizes the HOST service type for SPN registration because of default Windows Communication Foundation (WCF) SPN requirements. While HTTP makes sense for web-based applications, it does not satisfy rich clients who use the WS-Trust protocol.

Leave a Comment
  • Please add 1 and 6 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
  • Maheshkumar S Tiwari edited Revision 1. Comment: Added tags

  • do you have to restart AD FS service after setting this SPN? what should i do after i set this Spn

Page 1 of 1 (2 items)