1

I am thinking about taking a service that runs on multiple servers in my domain currently as "NETWORK SERVICE" and configuring it to run as an AD domain account for various reasons. If I have this one account running the same service under multiple servers, do I need to create SPN's for each of the machines and services it runs? Would I need to worry about creating SPN's at all?

If the answer is no, then what is the proper role of an SPN?

BoxerBucks
  • 1,374
  • 1
  • 9
  • 19

1 Answers1

1

Here is the Technet on Service Principal Names. Give it a read.

We use a Scheduled Tasks Admin Account to run all our tasks. We have it in the Users OU. This is available on all computers on the domain to be used for scheduled tasks.

The user is a member of Administrators, Backup Operators, Domain Users, Local Administrators, Replicator, and Server Operators.

Hope that helps

Campo
  • 1,609
  • 17
  • 33
  • Thanks for the answer but I still am not clear on the SPN usage. I have read the technet article and it seems to relate SPN's with client applications finding services published to the AD. So perhaps an SPN is only necessary if a client is connecting to that service on a machine? I thought it had to do with services running under the same domain account on different machines being able to authenticate to network resources as unique objects for the purposes of Kerberos. – BoxerBucks Jun 02 '10 at 15:18
  • If you want to run simple services like defrags or backups a domain account can be used to keep the same credentials for all machines. If you want to have client application that requires a mutual authentication with a service then you would use SPN. So what is your goal here? That will help determine if SPN is necessary. – Campo Jun 02 '10 at 15:31
  • I must be getting tired because I read that twice and it doesn't make sense to me. Reminds me of that Far Side cartoon showing what you say vs. what a dog hears... – Bart Silverstrim Jun 02 '10 at 15:33
  • The goal is to take a service account that runs under NETWORK SERVICE or LOCAL SERVICE today and change it to run with a domain account so we can reset the password on a regular basis for auditing purposes. – BoxerBucks Jun 02 '10 at 15:37
  • Resetting the password would mean you would have to change it for every scheduled task. That's why you make it very strong and never log in with the account. Set password to not expire. I feel this is acceptable. I see you marked correct. Is this resolved now? Glad to help! – Campo Jun 02 '10 at 16:03
  • 1
    Well, we will have to change the password per auditing requirements, but that is another story. I marked it correct because I think I understand the SPN usage and the fact that it's not required in this case. – BoxerBucks Jun 02 '10 at 16:21
  • Excellent. Yah changing those passwords is going to luck! Thanks! – Campo Jun 02 '10 at 16:40