My problem as a consultant is finding an AD admin that even knows what an SPN is, much less understanding how they work with applications like MSCRM, Share Point and Business Portal.
Sometimes I do not see an SPN for the default instance but there are SPNs for subsequent instances. It's the result of using accounts for the services that do not have the right to create the attributes in the LDAP database.
I would expect, as a consultant, you would be able to 'guide' any domain administrator with setting this up.
That 'problem' might be part of why someone might use a consultant.
Don't complain too loudly about this.:-D
Very few accounts have the ability to write information to AD.
And running a service under an account that can do this might open up some security holes.
Not a best practice.
NT Authority System comes to mind, along with SQL Injection.