Perform SPN management tasks in Data Archive
- Last UpdatedApr 15, 2025
- 1 minute read
Service principal name (SPN) management tasks may be necessary to ensure proper Kerberos authentication, especially when troubleshooting authentication failures or changing the PI Network Manager service account. The following procedures guide you through viewing, registering, removing, and reassigning SPNs.
View existing SPNs
-
To check which SPNs are registered for PI Data Archive, run the following command in a command prompt window in administrator mode:
setspn -L <service-account>
Replace <service-account> with the domain computer account
Code example
This code example requests a list of SPNs that are registered to a Data Archive server named mypiserver on mydomain:
setspn -L mydomain\mypiserver
Register an SPN
-
If an SPN is missing, register it using the following command:
setspn -S PIServer/<hostname> <service-account>
setspn -S PIServer/<FQDN> <service-account>
Code example
setspn -S PIServer/MyPIServer mydomain\mypiserver
setspn -S PIServer/MyPIServer.domain.com mydomain\mypiserver
Note: The -S option ensures that no duplicate SPNs are created. Use -A only if necessary, but verify uniqueness first.
Remove an SPN
-
To remove an outdated or incorrect SPN, use the following command:
setspn -D PIServer/<hostname> <service-account>
setspn -D PIServer/<FQDN> <service-account>
Code example
setspn -D PIServer/MyPIServer mydomain\mypiserver
setspn -D PIServer/MyPIServer.domain.com mydomain\mypiserver
Reassign SPNs when changing the PI Network Manager account
If the PI Network Manager service account is changed, you must perform the following tasks:
-
Remove existing SPNs assigned to the old account.
-
Register SPNs for the new computer account using the commands above.
-
Verify correct SPN assignment using:
setspn -L <service-account>