Home | Windows | Network | Interview Questions | Database | Virtualization | Knowledge Base | Contact Us

Quick Links

Windows 2003 KB

Windows 2008 KB

Windows 2012 KB

Network KB

MS Cluster FAQ's

Knowledge Base Home

 

Virtualization

Command reference

Exchange Q&A

DNS FAQ's

DHCP FAQ's

 

Active Directory FAQ's

AD History

Configuring New Domain

Deleted Object Recovery in AD

Global Catalog Server

 

NetDom Command

Replmon Command

NTDS Utility Guide

FSMO Guide

FSMO Failure

Network Interview Questions

SQL Interview Questions

Active Directory Trust

Group Policy Guide

IIS 6.0

 

RAID Levels

RPC Guide

Domain & Forest Functional Levels

SQL Failover Cluster

Service Principal Names (SPN) in Active Directory

Service principal names are associated with the security principal (user or groups) in whose security context the service executes. SPNs are used to support mutual authentication between a client application and a service. An SPN is assembled from information that a client knows about a service. Or, it can obtain information from a trusted third party, such as Active Directory. A service principal name is associated with an account and an account can have many service principal names.

Service Principal Names Syntax

A service uses the following elements to compose a service principal name.

The basic syntax of service principal name is as follows:

< service type >/< instance name >:< port number >/< service name >

where the elements of the syntax have the following meanings:

Service type Type of service, such as "www" for World Wide Web service or "ldap" for Lightweight Directory Access Protocol.

Instance name Name of the instance of the service. Depending upon the service type, it is either the name or IP address of the host running the service.

Port number Number of the port used by the service on the host, if it is different from the default for the service type.

Service name Name of the service. The name can be the DNS name of a host, of a replicated service, or of a domain; or it can be the distinguished name of a service connection point object or of an RPC service object.

If service name and instance name are the same, as they are for most host-based services, then a service principal name can be abbreviated to two components:

< service type >/< instance name >:< port number >
If port number is a port number different from the default for the service type specified by service type , you must specify the port number.

< service type >/< instance name >
If port number is the default port number for service type , you do not need to specify the port number, which is intended to be compatible with the Generic Security Services API (GSS) form.

Creating the Service Principal Name

A client creates the service principal name for a service. A service principal name can be one of the following: the DNS name of a domain, the DNS name of a host, or the distinguished name of a service connection point object. The SPN is the same for any method of authentication.

When using Kerberos to authenticate itself to a server, the client requests a session ticket for the service principal name; when using certificate-based authentication, the SPN is validated against the contents of the "SubjectName" field of the certificate of the server.

Host-Based Service Named in DNS

A host-based service is a service that is identified by the name of the host on which the service runs. In such cases, the service principal name is of the service is as follows:

< service type >/< host name >:< port number >

Or, if the service is using the default port for the service type specified by service type , then the SPN can be abbreviated to the following:

< service type >/< host name >

Services Named in the Directory Service

The service principal name for services named in the directory service has the following syntax:

< service type >/< host name >:< port number >/< distinguished name >

where the elements of the syntax have the following meanings:

Service type Type of service that is sought (for example, "print").

Distinguished name Distinguished name in the format specified by Request for Comments (RFC) 1779 of the Internet Engineering Task Force, of an instance of the service type service type (for example, "cn=bldg26,dc=ntdom,dc=reskit,dc=com").

Host name DNS name of the host running an instance of distinguished name .

Domain name Name of the domain that contains the account running the service specified by distinguished name (formed from the "dc=" components of distinguished name ).

For example, the service principal name for the print service for the NTDOM group in building 26 at Reskit, whose distinguished name is "cn=bldg26,dc=ntdom,dc=reskit,dc=com", which is running on nonstandard port number 1234 on host "prt1.ntdom.reskit.com", is as follows:

print/prt1.ntdom.reskit.com:1234/cn=bldg26,dc=ntdom,dc=reskit,dc=com



AD Articles Windows FAQ's

HTML Comment Box is loading comments...

Home | Windows | Network | Interview Questions | Database| Knowledge Base | Contact Us

 

Designed by TechieBird