Permissions to create an spn

permissions active-directory kerberos spn

Based on this MSDN article, and clarification by @Handyman5, the section "Delegating Authority to Modify SPNs" states

If you need to allow delegated administrators to configure service principal names (SPNs), you must ensure that their user accounts have the Validated write to service principle name permission.

The permission to delegate Validated write to service principle name requires Membership in Domain Admins, or equivalent


So I recently figured out how to do this. Follow the steps in the MSDN article about delegating the permission to Write SPNS.

However, you need to add one more permission for the account other than the Validated Write to Service Principal Names permission that is mentioned in MSDN article and that is write service principal name.

You need to add this permission in the exact same fashion as the how the article instructs you on the Validated Write to Service Principal Names (applies to computer objects, etc).

By adding this permission it allows you to write to the SPN attribute without needing full control, domain admin, or write all properties.

As a side note if you only add the Validated Write to Service Principal Names permission you will get the following error while trying to create a SPN and not access denied.

Failed to assign SPN on account LDAPName error 0x200b/8203 -> The attribute syntax specified to the directory service is invalid.

Related

How to install a Varnish module on Ubuntu
Outlook Email Abuse - Guide for email etiquette?
How to calculate server room air flow requirements
Standard Bolt Pattern for Racks in Datacenters
Why does OpenStack distinguish images from snapshots?
What are the performance implications of running VMs on a ZFS host?
Using SNI on Windows Server 2012 R2 not working
Daisy Chaining UPS Power Cable
Add a custom header to ProxyPass requests
IIS 7.5 not logging
Why do I grant access to /usr/share in apache2.conf
Can Puppet File Source be from a web service?