Universal Active Directory Kerberos SPN management framework.
SQL Server is Provider 0. Every AD-integrated service type that needs Kerberos is a registered provider: IIS, Remote Desktop Services, ADFS, Exchange, SharePoint, File Services, WinRM, DNS, Certificate Services, DFS, and more.
SpnForge manages the complete SPN lifecycle for any registered provider:
| Step | What Happens |
|---|---|
| Sense | Auto-discovers service instances, ports, and service accounts without user input |
| Propose | Builds the correct SPN strings for the discovered configuration |
| Test | Validates the plan against AD — preflight ACL check, duplicate detection |
| Record | Logs every action with provenance (module version, commit SHA, run ID, timestamp) |
| Implement | Registers SPNs via setspn when the caller has AD write rights |
| Pass-Off | Exports a setspn command bundle for AD admins in segregated environments |
Providers that auto-register (TERMSRV, WSMAN, HOST, etc.) run in audit mode: SpnForge detects drift between the expected SPN set and what's actually in AD, then generates a remediation handoff.
SqlSpnManager continues shipping independently as a focused SQL SPN tool. SpnForge absorbs all of its SQL logic as Provider SQL.Engine. Changes to SQL SPN handling in SpnForge backport to SqlSpnManager per the sync discipline in Docs/SYNC-DISCIPLINE.md.
All providers are defined in providers.json. Each row drives the sense → propose → test → implement → pass-off pipeline. Status values: Implemented | Planned | Partial | Unavailable.
v0.1.0 — Planning release. Full provider registry, decision records, UML contracts, and test scaffolding. Implementation phases begin after lab environment is provisioned.
Mozilla Public License 2.0