Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-1853: How to use adkeytab to set machine's UPN

Authentication Service ,  

11 April,19 at 09:20 PM


Is there a way to set the machine's UserPrincipalName attribute from Unix command line instead of utilizing Windows adsiedit?


There are several ways you can achieve this with the adkeytab command tool.  One of which is:


1.  Run adinfo --diag, at the end it will list Service Principal Names, delete the nfs SPN by running:

     -  adkeytab --delspn (-x) -P (--Principal) nfs/ -u <aduser> -d <>, then hit enter.  Put in your AD password and it should  come back successful.  You can verify this step by executing adinfo --diag again and check nfs SPN is removed.  Please see example below:


From adinfo --diag:

Computer Account Diagnostics
  Joined as: nemo
  Key Version: 7
  Service Principal Names: nfs/nemo

Centrify DirectControl Status
  Running in connected mode

Licensed Features: Enabled

[root@nemo ~]# adkeytab --delspn -P nfs/ -u daniel.luu -d
daniel.luu@DANIEL-DOMAIN.COM's password:
Success: Del SPNs: Default Key Tab


2.  Next, you need to add in a new nfs SPN and UserPrincipalName together.  Run:

    -  adkeytab --addspn -P nsf/ -U (upn) nfs/ -u <aduser> -d <>, then hit enter.  Put in your password and the result should come back successful.


[root@nemo tmp]# adkeytab --addspn --principal nfs/nemo --principal nfs/ -U nfs/ -u daniel.luu -d
daniel.luu@DANIEL-DOMAIN.COM's password:
Success: Add SPNs: Default Key Tab


3.  Finally, on Windows you can run adsiedit, go to Computer OU, right click on Computer -> Properties, scroll down to UserPrincipalName, and you should see the new UPN we just added.