Karim Zaki

Service Principal Names


Service Principal Names

As Microsoft descriptions

(A service principal name (SPN) is a unique identifier of a service instance.)

SO what is the meaning?

Professionals’ opinions and description

  • Simple opinion

SPN is an authenticating tool for windows services.

Kerberos is a user authentication service

SPNEGO-GSSAPI is the third party API to be able to use those services.

SSPI : is the Neutral layer to send request from SPNEGO to SPN service.

  • Another one


SPN Simply means ‘Server Principal Name’ and is the AD or Kerberos slang for the service you try to authenticate against.

Kerberos is a user authentication service, more or less yes. It also provides security for network messages and calls between services.

  • another one

A specific service-class is bound to a specific account

  • Microsoft Blog opinion

It is an alias (or pointer) for a domain account or client name, it is like the DNS just pointer telling the domain what is this account doing in the domain what services are trying to authenticate there

My opinion

By default, the service will make the registration it needs if the account has the permission to do so

HTTP/server1 is an alias for the domain account server1 to act is the HTTP (authenticate)

The SPN: “HTTP/server1” is an entry in the attribute servicePrincipalName for the account server in the Windows Active Directory Domain MyDomain.com

Telling the domain that server1 server is acting as Http service

Same for the mail server and SQL and all services which require this kind of authentication (Kerberos)

To list SPN

setspn -l host or account name

servicename/servername or servicename/accountname

MSOMHSvc/servername

CmRcService/servername

WSMAN/servername

TERMSRV/servername

TERMSRV/servername

RestrictedKrbHost/servername

The syntax is

Syntax for SetSPN.exe

The syntax for SetSPN.exe is:

setspn { -A
SPN | -D
SPN | -L } service_account

Arguments

-A

Adds the specified SPN to the account.

-D

Deletes the specified SPN to the account.

-L

Lists all SPNs registered to the account.

Examples

If an instance of SQL Server is running as a domain user (MyDomain\MySQLAccount) on a computer that is named MySQLHost, the following commands can be used to set the appropriate SPNs:

setspn –A http/MySQLHost MyDomain\MySQLAccount

setspn –A http/MySqlHost.Mydomain.Mycorp.com MyDomain\

ref: https://msdn.microsoft.com/en-us/library/ms178119(v=sql.105).aspx

Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx

Format

serviceclass/host:port servicename

Element

Description
serviceclass A string that identifies the general class of service; for example, “SqlServer”. There are well-known service class names, such as “www” for a Web service or “ldap” for a directory service. In general, this can be any string that is unique to the service class. Be aware that the SPN syntax uses a forward slash (/) to separate elements, so this character cannot appear in a service class name.
host The name of the computer on which the service is running. This can be a fully-qualified DNS name or a NetBIOS name. Be aware that NetBIOS names are not guaranteed to be unique in a forest, so an SPN that contains a NetBIOS name may not be unique.
port An optional TCP or UDP port number to differentiate between multiple instances of the same service class on a single host computer. Omit this component if the service uses the default port for its service class.
servicename An optional name used in the SPNs of a replicable service to identify the data or services provided by the service or the domain served by the service. This component can have one of the following formats:

  • The distinguished name or objectGUID of an object in Active Directory Domain Services, such as a service connection point (SCP).
  • The DNS name of the domain for a service that provides a specified service for a domain as a whole.
  • The DNS name of an SRV or MX record.

Ref:

https://blogs.msdn.microsoft.com/autz_auth_stuff/2011/04/28/what-is-a-spn-and-why-should-you-care/

Advertisement

Published by Karim Zaki

MBA Major MIS MCP (Microsoft Certified Professional) Windows XP. Microsoft Certified in (Managing and Maintaining Microsoft server 2003). Microsoft Certified in (implementing, Managing and Maintaining a Microsoft windows server 2003 infrastructure) Microsoft Certified in (Maintaining a MS Win Server 2003 Active Directory) MCSA 2003 ISA 2006 Microsoft Internet Security and Acceleration Server 2006, Configuring MCTS Microsoft Certified Technology specialist MCITP 2008 (Microsoft Certified IT professional) MCSA 2012 Server (Microsoft Certified solution Associate) AZURE Administrator Associate MS 365 Identities and services MS 365 Mobility and security Microsoft 365 Certified: Security Administrator Associate Microsoft 365 certified enterprise administrator expert, MS 365 System administrator, configuring designing and securing. Azure Active Directory administrator configuration and securing identities. Plan identity synchronization for azure active directory Microsoft advanced threat Protection, Access for external users B2B for Microsoft workloads, Azure Advanced Threat Protection, Intune Endpoint administrator designing and securing, Microsoft Cloud App Security configuring and designing. SCSM designing and configuration, Automating IT Operations, Securing and designing exchange online, SharePoint online, MS teams, OneDrive, azure, and MS 365, Intune designing, configuring and supporting.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.