!!! Overview
[{$pagename}] ([SPN]) is the name a [client] uses to identify a service for [mutual Authentication] as defined in [RFC 1964] section 2.1.1. 

!! Details
Two basic types of [{$pagename}]:
* Host-Based Service Named in DNS
* Services Named in the [Directory Service] 

! Host-Based Service Named in DNS

{{{
< service type >/< host name >:< port number >
or
< service type >/< host name >
}}}

! Services Named in the [Directory Service]
{{{
< service type >/< host name >:< port number >/< distinguished name >
}}}

* service type - Type of service that is sought (for example, "print").
* [Distinguished Name] - [Distinguished Name] in the format specified by [RFC 1779], of an instance of the service type service type (for example, "cn=bldg26,dc=ntdom,dc=example,dc=com").
* host name - [DNS] name of the host running an instance of [Distinguished Name]
* domain name - Name of the domain ([AD DOMAIN] that contains the account running the service specified by [Distinguished Name] (formed from the "dc=" components of distinguished name "dc=ntdom,dc=example,dc=com").

If you install multiple instances of a service on computers throughout a [AD Forest], each instance must have its own __unique__ [SPN]. A given service instance can have multiple [SPNs] if there are multiple names that clients might use for [authentication]. 

For example, an [SPN] always includes the name of the host computer on which the service instance is running, so a service instance might register an [SPN] for each name or alias of its host. For more information about SPN format and composing a unique SPN, see Name Formats for Unique SPNs.

The [{$pagename}] is the [Service-Principal]'s unique ID within the [Kerberos Database].

!! The Role of the SPN in [Kerberos] [Authentication]
When an application opens a connection using [Kerberos] Authentication a default SPN is constructed based on the protocol used, server name, and the instance name.

The SPN is sent to the [Key Distribution Center|KDC] to obtain a security token for authenticating the connection.

!! Constructions of SPNs
When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

The form of an SPN is as shown in the following form:
{{{
< service type >/<host>:<port>/<service name>
}}}

In this form, "<service type>" and "<host>" are required. "<port>" and "<service name>" optional.

Typically, the client recognizes the "<service type>" part of the name, and recognizes which of the optional components to include in the [SPN]. The client can retrieve components of the SPN from sources such as a [ServiceConnectionPoint] ([SCP]) or user input. 

For example, the client can read the [serviceDNSName] [attributeType] of a service's [serviceConnectionPoints] to get the "<host>" component. The [serviceDNSName] [attributeType] contains either the [DNS] name of the server on which the service instance is running or the [DNS] name of [SRV] records containing the host data for service replicas. The "<service name>" component, used only for services capable of Replication, can be the [Distinguished Name] of the service's SCP, the [DNS] name of the domain served by the service, or the [DNS] name of [SRV] or [MX] records.

!! [Manual SPN Registration|SPN Registration]
Typically [{$pagename}] entries are generated by the service automatically. Occasionally you may need to manually [SPN Registration]

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]