Set Prevalidation Service Name

Enable this policy to specify the service name to use for prevalidated users and groups. You must use the name you specify in this parameter when you register the Service Principal Name (SPN) for a user or group with the setspn.exe utility. The default value is preval.

Setting the Service Principal Name for a User

For users or groups of users to be prevalidated, their accounts must be active accounts with permission to log on to the local computer and have a Service Principal Name (SPN) set in the form of:

preval/user

Where preval is the service name specified by the adclient.prevalidate.service parameter and username is the user logon name, which can be either of the following:

• the name part of the user's UPN, if the domain part matches the user's domain

• sAMAccountName, if the UPN is empty or the UPN's domain part is different from the user's domain

To enable prevalidation for a user, you can use the Windows setspn.exe utility to add a Service Principal Name for the user. For example, to register the Service Principal Name for the user kai@arcade.com using preval as the service name, you could type a command similar to the following in a Windows Command Prompt window:

setspn -A preval/kai kai

This setspn command registers the SPN in Active Directory for the preval service and the specified user account, for the Active Directory user kai. On the computers where this user is allowed to be prevalidated, the user can be authenticated without having logged on previously.

Setting the Service Principal Name for Group Members

If you are allowing prevalidation for an administrative group, you must register a Service Principal Name for each member of the group. For example, if you are allowing prevalidation for the admins group and this group has five members, you would use the setspn.exe utility to register a Service Principal Name for each of those members.