We have an application that required a SPN to be added to a computer object. I ran the following commands to create the SPN:
"C:\Users\<username>>ktpass /pass abcd.1234 /mapuser server11 /princ HTTP/selfserve-dev.<domain>.com@<DOMAIN>.COM /ptype KRB5_NT_PRINCIPAL /Target <domain>.com
Successfully mapped HTTP/selfserve-dev.<domain>.com to server11.
Password succesfully set!
Key created.
C:\Users\<username>>ktpass /pass abcd.1234 /out server11.http.keytab /princHTTP/selfserve-dev.<domain>.com@<DOMAIN>.COM /ptype KRB5_NT_PRINCIPAL /Target <domain>.com
NOTE: creating a keytab but not mapping principal to any user. For the account to work within a Windows domain, the principal must be mapped to an account, either at the domain level (with /mapuser) or locally (using ksetup) If you intend to map HTTP/selfserve-dev.<domain>.com@<DOMAIN>.COM to an account through other means or don't need to map the user, this message can safely be ignored.
WARNING: pType and account type do not match. This might cause problems. Key created.
Output keytab to server11.http.keytab:"
So it would appear that everything worked. However, when I look at the attributes tab for the server11 computer object, the servicePrincipalName is set to "host/server11.<domain>.com". Why would this be? Maybe I am missing something?