| |
What happens if SPNs are not correctly set? |
|
|
Subject: What happens if SPNs are not correctly set?
Author: Alex_Raj
In response to: UPN vs SPN
Posted on: 05/30/2006 08:23:52 PM
Service Principal Names (SPNs) are unique identifiers for services running on servers. Every service that will use Kerberos authentication needs to have an SPN set for it so that clients can identify the service on the network. If an SPN is not set for a service, then clients will have no way of locating that service. Without properly set SPNs, Kerberos authentication is not possible.
If an SPN has not been correctly set and a client attempts to obtain a service ticket, a common result is a KDC_ERR_C_PRINCIPAL_UNKNOWN or a KDC_ERR_S_PRINCIPAL_UNKNOWN error. Furthermore, there are many other errors for which the cause might be a missing or an incorrectly set SPN.
>
> On 05/18/2006 11:57:36 PM Alex_Raj wrote:
UPN stands for User Principal Name which is a unique identifier for the security identity of a user or computer. UPN takes the format of
<userID>@<DNS domain name>
UPN is stored in AD user account under attribute userPrincipalName which is a unique within the FOREST security boundary. That's why DNS domain name must be portion of it (except for NT).
SPN stands for Service Principal Name which is a unique identifier for the security identity of a user or computer. UPN takes the format of
<serviceClass>/<host>:<port>/<serviceName>
where
<serviceClass> -- a string identifying the service
<host> -- a NetBIOS or NDS name identifying the machine on which
the service is running.
<port> -- OPTIONAL, port number to which the service is listening
<serviceName> -- OPTIONAL
For example, a LDAP service running on machine myhost.mydomain.com listening to port 2389 takes a AD account with:
dn: cn=myhost,cn=user,dc=mydomain,dc=com
userPrincipalName: myhost@mydomain.com
servicePrincipalName: ldap/myhost.mydomain.com:2389
References:
|
|
|
|
