Registering service principal names
To enable prevalidation for a user, you can use the Windows setspn.exe utility to add a service principal name for the user. For example, to register the service principal name for the user firstname.lastname@example.org using preval as the service name, you could type a command similar to the following in a Windows Command Prompt window:
setspn -A preval/kai kai
This setspn command registers the SPN in Active Directory for the preval service for the specified user account, the Active Directory user kai. On the computers where this user is allowed to be prevalidated, the user can be authenticated without having logged on previously.
If you are allowing prevalidation for an administrative group, you must register a service principal name (SPN) for each member of the group. For example, if you are allowing prevalidation for the admins group and this group has five members, you would use the setspn.exe utility to register a Service Principal Name for each of those members.