Navigation
GuidesUpdated July 3, 2026

SPN Changes for Active Directory Objects

guidespnactive-directorydsichange-managementauthenticationkerberossql-server

SPN Changes for Active Directory Objects

We can utilitze the DSI Self-Service Portal to make changes, including the initial SPN requests which was not previously supported before May 2025. This still requires a CR, but it can be done more easily.

Only the owner of the AD Object can make the change via the DSI Self-Service Portal. To assist in identifying the owner of the object, use the AD Lookup tool and perform an ID Search. The name of the person listed in the details is the owner. Work with that person to schedule and perform this request as the responsibility to perform the work is on them.

  1. Open a Change Request

  2. Planned Start Date and Planned End Date can be arranged with the AD object owner (non-user account owner for example)

  3. Assign the request to your own assignment group and self, or another member of your group

  4. Pre-Implementation Plan - This needs to show that you have verified the current SPNs on the object your are modifying, and that any requested SPNs do not currently exist. The below is an example:

    1. Confirmed there are no SPNs currently applied:
    
    PS C:\Users> setspn -L sharedepicsql
    Registered ServicePrincipalNames for CN=sharedepicsql,CN=Users,DC=ms,DC=ds,DC=uhc,DC=com:
    
    PS C:\Users>
    
    2. Confirmed there is no duplicate SPNs:
    
    PS C:\Users> setspn -Q MSSQLSvc/zwswmpses100.ms.ds.uhc.com:1433
    Checking domain DC=ms,DC=ds,DC=uhc,DC=com
    No such SPN found.
    
    PS C:\Users> setspn -Q MSSQLSvc/zwswmpses100.ms.ds.uhc.com
    Checking domain DC=ms,DC=ds,DC=uhc,DC=com
    No such SPN found.
    
    PS C:\Users> setspn -Q MSSQLSvc/zwswmpses101.ms.ds.uhc.com:1433
    Checking domain DC=ms,DC=ds,DC=uhc,DC=com
    No such SPN found.
    
    PS C:\Users> setspn -Q MSSQLSvc/zwswmpses101.ms.ds.uhc.com
    Checking domain DC=ms,DC=ds,DC=uhc,DC=com
    No such SPN found.
    
  5. Implementation Plan - This needs to state that the DSI Self-Service Portal will be used, a link to the portal provided, and the SPNs to add to a specific AD object.

    Use the DSI self-service tool to add the following entries for MS\sharedepicsql
    MSSQLSvc/zwswmpses100.ms.ds.uhc.com:1433
    MSSQLSvc/zwswmpses100.ms.ds.uhc.com
    MSSQLSvc/zwswmpses101.ms.ds.uhc.com:1433
    MSSQLSvc/zwswmpses101.ms.ds.uhc.com
    
    https://dsi-self-service.optum.com/
    
  6. Validation Plan - This will be the same setspn -L command used in the preimplementation plan to verify the SPNs are set correctly. The below is an example:

    Run setspn -L sharedepicsql and validate the 4 SPNs have been added
    
  7. Backout Plan - This needs to note the same DSI Self-Service Portal will be used to backout any changes required. Explanation of what triggers a backout and a link to the portal must be included.

    As there is no current infrastructure using this, there is no failure trigger that necessitates reverting the changes unless one of the SPNs is unable to be applied. At which point, it would be best to remove all until the issue can be resolved. We will use the same DSI self-service tool to Delete the SPNs.
    
    https://dsi-self-service.optum.com/
    
  8. For Affected CIs and Impacted Services, choose an appropriate entry or entries for each. If there is no available option that matches, use the UNDEFINED SERVICE option for both. Using this option will require adding additional input to the Undefined CI Detail and Impacted Undefined Services tabs upon the initial Save.

  9. Create a Change Task:

    1. Assignment Group: Assignment Group of the AD Object Owner
    2. Assigned To: The AD Object Owner
    3. Short Description: Modify SPNs tn Account
    4. Description: Copy the Implementation Plan from the main change
    5. Click Save and Exit
  10. When ready, click Request Approval