SPN Changes for Active Directory Objects
SPN Changes for Active Directory Objects
We can utilitze the DSI Self-Service Portal to make changes, including the initial SPN requests which was not previously supported before May 2025. This still requires a CR, but it can be done more easily.
Only the owner of the AD Object can make the change via the DSI Self-Service Portal. To assist in identifying the owner of the object, use the AD Lookup tool and perform an ID Search. The name of the person listed in the details is the owner. Work with that person to schedule and perform this request as the responsibility to perform the work is on them.
-
Open a
Change Request -
Planned Start DateandPlanned End Datecan be arranged with the AD object owner (non-user account owner for example) -
Assign the request to your own assignment group and self, or another member of your group
-
Pre-Implementation Plan- This needs to show that you have verified the current SPNs on the object your are modifying, and that any requested SPNs do not currently exist. The below is an example:1. Confirmed there are no SPNs currently applied: PS C:\Users> setspn -L sharedepicsql Registered ServicePrincipalNames for CN=sharedepicsql,CN=Users,DC=ms,DC=ds,DC=uhc,DC=com: PS C:\Users> 2. Confirmed there is no duplicate SPNs: PS C:\Users> setspn -Q MSSQLSvc/zwswmpses100.ms.ds.uhc.com:1433 Checking domain DC=ms,DC=ds,DC=uhc,DC=com No such SPN found. PS C:\Users> setspn -Q MSSQLSvc/zwswmpses100.ms.ds.uhc.com Checking domain DC=ms,DC=ds,DC=uhc,DC=com No such SPN found. PS C:\Users> setspn -Q MSSQLSvc/zwswmpses101.ms.ds.uhc.com:1433 Checking domain DC=ms,DC=ds,DC=uhc,DC=com No such SPN found. PS C:\Users> setspn -Q MSSQLSvc/zwswmpses101.ms.ds.uhc.com Checking domain DC=ms,DC=ds,DC=uhc,DC=com No such SPN found. -
Implementation Plan- This needs to state that the DSI Self-Service Portal will be used, a link to the portal provided, and the SPNs to add to a specific AD object.Use the DSI self-service tool to add the following entries for MS\sharedepicsql MSSQLSvc/zwswmpses100.ms.ds.uhc.com:1433 MSSQLSvc/zwswmpses100.ms.ds.uhc.com MSSQLSvc/zwswmpses101.ms.ds.uhc.com:1433 MSSQLSvc/zwswmpses101.ms.ds.uhc.com https://dsi-self-service.optum.com/ -
Validation Plan- This will be the samesetspn -Lcommand used in the preimplementation plan to verify the SPNs are set correctly. The below is an example:Run setspn -L sharedepicsql and validate the 4 SPNs have been added -
Backout Plan- This needs to note the same DSI Self-Service Portal will be used to backout any changes required. Explanation of what triggers a backout and a link to the portal must be included.As there is no current infrastructure using this, there is no failure trigger that necessitates reverting the changes unless one of the SPNs is unable to be applied. At which point, it would be best to remove all until the issue can be resolved. We will use the same DSI self-service tool to Delete the SPNs. https://dsi-self-service.optum.com/ -
For
Affected CIsandImpacted Services, choose an appropriate entry or entries for each. If there is no available option that matches, use theUNDEFINED SERVICEoption for both. Using this option will require adding additional input to theUndefined CI DetailandImpacted Undefined Servicestabs upon the initial Save. -
Create a
Change Task:Assignment Group: Assignment Group of the AD Object OwnerAssigned To: The AD Object OwnerShort Description:Modify SPNs tn AccountDescription: Copy theImplementation Planfrom the main change- Click
Save and Exit
-
When ready, click
Request Approval