A service principal name is a principal for a service
Service Class/<host name>
where:
Generally, the service class name can be any string that is unique to the service class
An SPN (Service Principal Name) is a unique name that identifies an instance of a service and is associated with the logon account under which the service instance runs.
It provides a mapping between the AD user account and the service instance and allows for the multipart name format used in Kerberos principal names (e.g. HTTP/hostname.dns.com).
The SPN is used in the process of mutual authentication between the client and the server hosting a particular service. The client finds a computer account based on the SPN of the service to which it is trying to connect.
Service Principal Names MUST be unique across the entire (LDAP|Active Directory) forest.
Service Principal Names define what services run under the accounts security context.
Service Principal Names can be assigned to either:
Service Principal Names can be defined on user accounts when a Service or application is running under that users Security context. Typically these types of user accounts are known as “Service Accounts”. It is very import that you understand that Service Principal Names MUST be unique throughout the entire Active Directory forest.
Some typical scenarios when a user account has a Service Principal Name defined are:
Windows account names are not multipart as Kerberos principal names. Because of this, it is not possible to directly create an account using the name HTTP/hostname.dns.com. Such a principal instance is created through service principal name mappings. In this case, an account is created with a meaningful name hostname, and a service principal name mapping is added for HTTP/hostname.dns.com.
The SPN of an Active Directory object is an attribute of the object, and can only hold a single value.
The attribute name is servicePrincipalName.
Use the setspn command to map the Kerberos service principal name, HTTP/
, to a Microsoft user account. An example of setspn usage is as follows:
C:\Program Files\Support Tools>
setspn -A HTTP/myHost.gerardnico.com myHost
where:
Utilties
setspn -L
You can also see them with the Mit Klist
klist
Ticket cache: API:Initial default ccache
Default principal: gerardn@REALM
Valid starting Expires Service principal
07/26/18 10:57:05 07/26/18 20:57:05 krbtgt/REALM@REALM
renew until 08/02/18 07:57:05
07/26/18 10:57:05 07/26/18 20:57:05 hive/FQhostName@REALM
renew until 08/02/18 07:57:05