Subject: How To Set SPN
Author: Alex_Raj
In response to: SPN's role in delegation chain
Posted on: 05/31/2006 03:09:40 PM
The Setspn utility sets SPNs. Because SPNs are security-sensitive, you can only set SPNs for user objects if you have domain administrator privileges.
Setspn
To add an SPN, you can type the following at a command prompt:
setspn A ServiceClass/Host:Port
To delete an SPN, you can type the following at a command prompt:
setspn D ServiceClass/Host:Port
To view the SPNs that are registered for an account, you can type the following at a command prompt:
To reset the default SPN registrations for the host names for an account, you can type the following at a command prompt:
The following section discusses the parameters listed above.
ServiceClass. There are many different types of SPNs, and each service that is running on a computer should have the appropriate SPN service class assigned to it. If an application is written to take advantage of Kerberos authentication and delegation, it has the specific type of SPN that it needs to access pre-determined.
For example, when Internet Explorer versions 5.5 and later use the Kerberos protocol to authenticate to a Web service, the application looks for the HTTP SPN. On the other hand, a SQL Server client looks for the MSSQLSvc/ SPN. If the wrong service class is used on an SPN, then the SPN will not be located when a service searches for it.
Host. The computer to which the SPN belongs is all the names by which a computer on which the service is running can be referenced. This usually includes a NetBIOS name, a fully qualified domain name (FQDN), and any aliases that might have been assigned to this computer. A separate SPN will need to be set for each name by which the computer can be referenced, with the Host parameter changing respectively.
Port. The port that the service is running on. If this is a default port for that service (such as 80 for HTTP), then it can be omitted. However, it is recommended the port be included regardless of what service is running.
AccountName. The name of the domain account under which the service runs. If the service runs as Local System or the network service, you usually do not need to set an SPN explicitly for the service because most common SPN service classes will automatically be mapped to the HOST/ SPN which is in turn automatically generated for each computer account.
>
> On 05/30/2006 08:35:02 PM
Alex_Raj wrote:
An SPN is registered in Active Directory under a user account as an attribute called Service-Principal-Name. The SPN is assigned to the account under which the service the SPN identifies is running. Any service can look up the SPN for another service. When a service wants to authenticate to another service, it uses that services SPN to differentiate it from all of the other services running on that computer.
SPNs are critical to constrained delegation. When you set up a domain computer or user account for delegation, one step of the process is to list the SPNs of services on other computers that the computer is allowed to delegate to. This list forms a type of ACL. The services running on the other computers are identified by the SPNs that are issued to those services.
Multiple services can run simultaneously under the same account. Therefore, for each SPN that is set, you need these four unique pieces of information:
The type of service, formally called a service class. This enables you to differentiate between multiple services running under the same account.
The account under which the service is running.
The computer on which the service is running, including any aliases that point to that computer.
The port on which the service is running.
These four pieces of information uniquely identify any service running on a network and can be used to mutually authenticate to any service.
An SPN itself consists of three pieces of information, ServiceClass/Host:Port, where:
ServiceClass is the service class of the SPN.
Host is the name of the computer to which the SPN belongs.
Port is the port that the service the SPN is registered to runs on.
References:
