Service Principal Names


Service Principal Names

As Microsoft descriptions

(A service principal name (SPN) is a unique identifier of a service instance.)

SO what is the meaning?

Professionals’ opinions and description

  • Simple opinion

SPN is an authenticating tool for windows services.

Kerberos is a user authentication service

SPNEGO-GSSAPI is the third party API to be able to use those services.

SSPI : is the Neutral layer to send request from SPNEGO to SPN service.

  • Another one


SPN Simply means ‘Server Principal Name’ and is the AD or Kerberos slang for the service you try to authenticate against.

Kerberos is a user authentication service, more or less yes. It also provides security for network messages and calls between services.

  • another one

A specific service-class is bound to a specific account

  • Microsoft Blog opinion

It is an alias (or pointer) for a domain account or client name, it is like the DNS just pointer telling the domain what is this account doing in the domain what services are trying to authenticate there

My opinion

By default, the service will make the registration it needs if the account has the permission to do so

HTTP/server1 is an alias for the domain account server1 to act is the HTTP (authenticate)

The SPN: “HTTP/server1” is an entry in the attribute servicePrincipalName for the account server in the Windows Active Directory Domain MyDomain.com

Telling the domain that server1 server is acting as Http service

Same for the mail server and SQL and all services which require this kind of authentication (Kerberos)

To list SPN

setspn -l host or account name

servicename/servername or servicename/accountname

MSOMHSvc/servername

CmRcService/servername

WSMAN/servername

TERMSRV/servername

TERMSRV/servername

RestrictedKrbHost/servername

The syntax is

Syntax for SetSPN.exe

The syntax for SetSPN.exe is:

setspn { -A
SPN | -D
SPN | -L } service_account

Arguments

-A

Adds the specified SPN to the account.

-D

Deletes the specified SPN to the account.

-L

Lists all SPNs registered to the account.

Examples

If an instance of SQL Server is running as a domain user (MyDomain\MySQLAccount) on a computer that is named MySQLHost, the following commands can be used to set the appropriate SPNs:

setspn –A http/MySQLHost MyDomain\MySQLAccount
setspn –A http/MySqlHost.Mydomain.Mycorp.com MyDomain\
ref: https://msdn.microsoft.com/en-us/library/ms178119(v=sql.105).aspx
				

Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

Format

serviceclass/host:port servicename

Element

Description

serviceclass A string that identifies the general class of service; for example, “SqlServer”. There are well-known service class names, such as “www” for a Web service or “ldap” for a directory service. In general, this can be any string that is unique to the service class. Be aware that the SPN syntax uses a forward slash (/) to separate elements, so this character cannot appear in a service class name.
host The name of the computer on which the service is running. This can be a fully-qualified DNS name or a NetBIOS name. Be aware that NetBIOS names are not guaranteed to be unique in a forest, so an SPN that contains a NetBIOS name may not be unique.
port An optional TCP or UDP port number to differentiate between multiple instances of the same service class on a single host computer. Omit this component if the service uses the default port for its service class.
servicename An optional name used in the SPNs of a replicable service to identify the data or services provided by the service or the domain served by the service. This component can have one of the following formats:

  • The distinguished name or objectGUID of an object in Active Directory Domain Services, such as a service connection point (SCP).
  • The DNS name of the domain for a service that provides a specified service for a domain as a whole.
  • The DNS name of an SRV or MX record.

Ref:

https://blogs.msdn.microsoft.com/autz_auth_stuff/2011/04/28/what-is-a-spn-and-why-should-you-care/

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.