Listing what's already mapped

Christopher D. Clausen cclausen at
Mon Oct 1 11:27:22 EDT 2007

treschaud33 at wrote:
> How can I list all the servers that I have mapped with the Ktpass
> command?
> We are using Kerberos for SSO from our Middle Tier application that we
> develop.  To make this work I must map the middle Tier's servername
> with an account in the domain.  Here's a sample ktpass command that I
> use to do this:
>     ktpass -princ HTTP/server10 at ENGINEERING.CRD.COM -mapuser svruser -
> pass svruserpwd
> I'm working in a development environment and have done this many
> times.  I'd like to know which machines I have already mapped.  How
> can I get the list?  The domain controller is Win Server 2003 SP1

from a cmd.exe prompt (on a computer joined to this domain,) you can run 
net group "domain computers" /domain to get a list all every computer 
account.  (Assuming you are indeed using computer accounts and not user 

You can then run the setspn.exe -L "computername" for each computername 
in the above list to see what mappings have been assigned.

I do not know of a way to specifically list computers with modified SPNs 
without checking each and every object.


More information about the Kerberos mailing list