Fix SPNs without learning Kerberos.

SqlSpnManager is a PowerShell module for SQL DBAs and sysadmins. It builds the right SPNs from your scenario, runs the forest-wide duplicate check, and registers them — or hands you a clean script for your AD admin when you don't have write rights yourself.

BEFORE — the afternoon you lost

SSPI handshake failed.

✕ Cannot generate SSPI context

✕ NT AUTHORITY\ANONYMOUS LOGON

✕ AI told you three different things

✕ Six internal wiki pages, all wrong

✕ Sysadmin round-trip on the wrong account

2h 14m

billable to “Kerberos stuff,” again

AFTER — with SqlSpnManager

Auth works. Audit log written.

✓ Registered MSSQLSvc/SQLSRV01:1433

✓ Registered MSSQLSvc/SQLSRV01.fqdn:1433

✓ Forest-wide dup check — 0 conflicts

✓ ACL preflight — allowed

✓ Bundle ready for the AD admin

2 min

lab-proven · handoff-ready · audit-clean

AD ADMIN — the handoff lands

Audit, then run.

✓ Header carries provenance (ver, GUID, UTC, account)

✓ Plain setspn lines — nothing else

✓ One target account, named up front

✓ Cross-forest -T injected for you

✓ Run from elevated session — done.

30 sec

DR-311 closes the loop for AD-segregated shops

Walk through how it works → Who it's for

The shortest version

If you've spent two hours staring at Cannot generate SSPI context and gone down four different rabbit holes, SqlSpnManager is for you. The everyday call:

Import-Module SqlSpnManager
Start-SqlSpnManager           # interactive wizard, or:

Start-SqlSpnConfiguration `
    -SamAccountName 'svc_sql_prod' `
    -Scenario Standalone -Role Engine `
    -TargetName 'SQLSRV01' -Force

Behind each command: deterministic SPN-string construction, forest-wide duplicate detection before any registration, an AD-write preflight check, per-invocation audit log, and a clean handoff bundle for when you don't own AD yourself. You don't have to know any of that to use it.

Why this exists

Most SQL DBAs hit SPN problems three or four times a career and learn it the hard way each time: from scratch, from a Microsoft doc that's two SQL versions out of date, from an AI that gave three different answers, and from an internal wiki page that turned out to be wrong.

The full origin story is on the Who it's for page.

What's in the box

13 plain-English commands — Start-SqlSpnManager, Start-SqlSpnConfiguration, New-SqlSpnPlan, Invoke-SqlSpnExecutionEngine, Export-SqlSpnRegistrationScript, and friends.
One private engine — every setspn call goes through the same wrapper, with the forest-wide duplicate check and AD-write preflight built in.
Per-invocation log files — written under your user profile, pruned after 30 days. Best-effort Windows Event Log emission for SIEM.
AD-admin handoff bundle — if you don't own AD write rights yourself, render the plan as a clean setspn script with provenance header your AD admin can audit and run.
FCI cluster-aware — auto-resolves the cluster Virtual Computer Object (VCO) from the virtual name so SPNs land where they survive failover.
Cross-forest aware — auto-detects and adds -T <TargetDomain> when the target's DNS suffix differs from the local domain.
Lab-proven against real AD — Waves 1–3 on Hyper-V (Standalone, AlwaysOn, FCI). 213/213 Pester tests; PSScriptAnalyzer gate clean.
MPL-2.0 licensed · sole-maintainer project — open-source license; the maintainer writes all the code; bug reports and feature requests welcome via Issues; pull requests closed by policy. Anyone may fork and continue under MPL-2.0 terms — the project's survival doesn't depend on one person.

Status: v1.4.0 ready. Currently distributed via the GitHub repository (PowerShell Gallery publish pending the owner's pre-publish quality bar). MPL-2.0 licensed (open source). Sole-maintainer project: bug reports and feature requests welcome via Issues; pull requests closed by policy. Anyone may fork and continue under MPL-2.0 terms. See Who it's for for the reasoning.