Overview#

ServicePrincipalName (SPN) is the name a client uses to identify a service for mutual Authentication as defined in RFC 1964 section 2.1.1.

Details#

Two basic types of ServicePrincipalName:

• Host-Based Service Named in DNS
• Services Named in the Directory Service

Host-Based Service Named in DNS#

< service type >/< host name >:< port number >
or
< service type >/< host name >

Services Named in the Directory Service#

< service type >/< host name >:< port number >/< distinguished name >

• service type - Type of service that is sought (for example, "print").
• Distinguished Name - Distinguished Name in the format specified by RFC 1779, of an instance of the service type service type (for example, "cn=bldg26,dc=ntdom,dc=example,dc=com").
• host name - DNS name of the host running an instance of Distinguished Name
• domain name - Name of the domain (AD DOMAIN that contains the account running the service specified by Distinguished Name (formed from the "dc=" components of distinguished name "dc=ntdom,dc=example,dc=com").

If you install multiple instances of a service on computers throughout a AD Forest, each instance must have its own unique SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication.

For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. For more information about SPN format and composing a unique SPN, see Name Formats for Unique SPNs.

The ServicePrincipalName is the Service-Principal's unique ID within the Kerberos Database.

The Role of the SPN in Kerberos Authentication#

When an application opens a connection using Kerberos Authentication a default SPN is constructed based on the protocol used, server name, and the instance name.

The SPN is sent to the Key Distribution Center to obtain a security token for authenticating the connection.

Constructions of SPNs#

When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

The form of an SPN is as shown in the following form:

< service type >/<host>:<port>/<service name>

In this form, "<service type>" and "<host>" are required. "<port>" and "<service name>" optional.

Typically, the client recognizes the "<service type>" part of the name, and recognizes which of the optional components to include in the SPN. The client can retrieve components of the SPN from sources such as a ServiceConnectionPoint (SCP) or user input.

For example, the client can read the serviceDNSName attributeType of a service's serviceConnectionPoints to get the "<host>" component. The serviceDNSName attributeType contains either the DNS name of the server on which the service instance is running or the DNS name of SRV records containing the host data for service replicas. The "<service name>" component, used only for services capable of Replication, can be the Distinguished Name of the service's SCP, the DNS name of the domain served by the service, or the DNS name of SRV or MX records.

Manual SPN Registration#

Typically ServicePrincipalName entries are generated by the service automatically. Occasionally you may need to manually SPN Registration

More Information#

There might be more information for this subject on one of the following:

• AS_REP
• AS_REQ
• Ambiguous Name Resolution
• Channel Binding
• Group Managed Service Account
• Kerberos
• Kerberos Delegation
• Kerberos Principal
• Kerberos SSP
• SPN
• Standalone Managed Service Account
• Ticket Granting Ticket
• User