Set Service Principle Name (SetSPN)

A Security Principle is required to authorize Kerberos communication. This is not required for NTLM. To use Kerberos, you must grant Service Principal Name (SPN) privileges for your AgilePoint user accounts:

Note: This is one of the most common issues that occurs when installing with Kerberos authentication.

To grant SPN privileges, ​do the procedure in this topic.


  • These instructions do not apply to the following installation scenarios:
  • SetSPN is built into Windows Server 2008 and later. It is available if you have the Active Directory Domain Services (AD DS) server role installed. To use setspn, you must run the setspn command from an elevated command prompt.
  • Log on to Windows using a domain administrator account.

How to Start

  1. For Windows Server 2008 or 2012, click Start, right-click Command Prompt, and then click Run as administrator.


  1. Set a fully qualified domain name, friendly name, and DNS name on the AgilePoint Server machine so that any client can access it:
    1. To set the fully qualified domain name, execute the SetSPN command using the following syntax:
      setspn –a http/ domain\username

      Be sure to include the domain name in the command prompt: The machinename refers to the AgilePoint Server machine name.

    2. To set the friendly name, execute the setspn command using the following syntax:
      setspn –a http/machinename domain\username

      If you are unable to access the AgilePoint Server Web service pages from a machine other than the machine where AgilePoint Server is installed (e.g. Client or SharePoint machine). You should follow step a.

    3. To set the DNS Name or Alias used to abstract the physical hardware execute the setspn command using the following syntax:
      setspn –a http/dns domain\username
    4. Verify whether this has been properly set by running the following command:
      setspn –l domain\username

      The result should list http/