Service Principal Names are used to support mutual authentication between a client application and a service. In order for the EAS service to deliver email to the device, the EAS server must be furnished with an SPN from the Active Directory (AD) server.

This step must be completed whether or not you are employing the use of a Secure Email Gateway (SEG). There are instructions at the end of this topic that direct you to the next step, SEG or no SEG.

First, you must create an SPN for the EAS server.

There are two methods to add SPNs. Both require a domain account that has access to write to the Active Directory.

  • Command line prompt.
  • The ADSIedit module.


From the Command Line

Setspn –A http/<internaladdress> domain/computeraccountname


From ADSIedit

  1. From the domain controller, open ADSI Edit.
    1. Open MMC and add ADSIedit snap-in, or
    2. Run menu and type adsiedit.msc module.
  2. Right-click ADSI Edit.
  3. In the Connections Settings window, select Select a well known Naming Context.
  4. Click the drop-down arrow and select Default naming context.
  5. Select Default (Domain or server that you logged in to).
  6. Click OK.

  7. Click the + box to expand the directory of folders.

  8. In the right pane, locate the server where SPN is set, right-click it and select Properties. The Properties window for the SPN server displays.

    Certs_TMG_SEG_KERB_30 Certs_TMG_SEG_KERB_31

  9. In the Attribute Editor tab, locate and select servicePrincipalName.

  10. Click Edit. A Multi-valued String Editor dialog box opens.


  11. In the Value to add field, type the required SPN, select Add after each entry, and then select OK twice to close the dialog box.

  12. Close ADSI Edit.

If you are not employing the use of a SEG, then skip to Configure Service Account Delegation Rights on TMG. Otherwise, proceed to Create a Service Principal Name (SPN) for the SEG.