Creating Kerberos service principal names

Kerberos service principal names are created using the setspn.exe tool in the Windows Support Tools package.
Important: Kerberos service principal names are required for single sign-on using both Windows Authentication and Java Kerberos. Both methods of single sign-on authentication require these steps.
To allow the application server to accept Kerberos authentication requests:
  1. Log into the domain controller where the Windows Support Tools are installed.
  2. Open the Command Prompt.
  3. Run the following command in the Command Prompt:
    setspn -a HTTP/host.domain.ext DOMAIN.EXT\nexjsvr
    Note: host.domain.ext is the canonical DNS name of the application server host and DOMAIN.EXT is the Kerberos realm, corresponding to the Active Directory domain name. Domain names are case-sensitive: host.domain.ext must be in lowercase and DOMAIN.EXT must be in uppercase.
    Tip: The principal names for the account can also be viewed and modified using the adsiedit.msc MMC snap-in (attribute servicePrincipalName, available in the object Property pages).
  4. Confirm the service principal name has been successfully added by running the following command in the Command Prompt: 
    setspn –L DOMAIN.EXT\nexjsvr
  5. If multiple clusters with separate HTTP redirectors are set up on the same domain, map all HTTP redirector SPNs to nexjsvr.
  6. Make sure no other user or computer has the same SPN value. Use setspn -l DOMAIN.EXT\user to view SPNs for a given user, and setspn -l host to view SPN for a given computer. If the same SPN is mapped to another user or computer, it can be deleted using one of the following commands:
    setspn -d HTTP/host.domain.ext DOMAIN.EXT\user
setspn -d HTTP/host.domain.ext computer

Your application server will now be able to receive and process Kerberos authentication requests.