Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [spn]

a service principal name (SPN) that is used to identify an instance of a service in a particular domain

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

Before the Kerberos authentication service can use an SPN to authenticate a service, the SPN must be registered on the account object that the service instance uses to log on. A given SPN can be registered on only one account.

When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

MSDN, Service Principal Names

See also kerberos

60 questions
13
votes
1 answer

Why is MS SQL Server Using NTLM Authentication?

Windows Server 2008 R2. SQL Server 2008 R2 installed. MSSQL Service runs as Local System. Server FQDN is SQL01.domain.com. SQL01 is joined to an Active Directory domain named domain.com. The following is the output of setspn: C:\> setspn -L…
Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
11
votes
2 answers

Permissions to create an spn

According to some of the documentation I've read the service account for SQL server will create an SPN when the database engine starts up, allowing for kerberos authentication. I haven't been able to find any documentation that states what…
Thirster42
  • 354
  • 1
  • 2
  • 14
8
votes
1 answer

Create SPN with setspn.exe - Insufficient access rights

On a Windown Server 2008 Domain Controller, I'm attempting to add a Service Principal Name (SPN) to a user account 'Postmaster' in order to enable Kerberos authentication from a Communigate email server. The command line I'm using is of the…
kbluck
  • 205
  • 1
  • 3
  • 8
8
votes
1 answer

Active Directory 2012 LDAP Integration Service Principal Name Entry is Disappearing?

Creating Python Service to Query AD Attributes I'm integrating our AD with web services running Python on linux using Python-LDAP over SASL(DIGEST-MD5) to query AD 2012 user attributes (division, department, phone extension, email, etc). After…
Melignus
  • 81
  • 1
  • 3
8
votes
1 answer

"setspn -s" vs. "setspn -a"

According to Setspn Overview it's discouraged to use Setspn -A to add an SPN record and it's suggested to use Setspn -S instead. It's said that Setspn -S checks whether the SPN already exists before adding a new one. Setspn –A does not perform this…
bahrep
  • 664
  • 1
  • 9
  • 27
7
votes
2 answers

creating an SPN from a linux build server

I'm setting up a process which would automatically create the SPNs for newly exposed service URLs. I am aware of how to create an SPN with Windows using the setspn -A command with the right priviliges. As my build server is running on Linux, I…
Balint Pato
  • 173
  • 1
  • 5
7
votes
1 answer

Creating keytabs and service principal names

I'm trying to set up a keytab for a Java server to support Kerberos authentication on a Windows network. I'm struggling to get it working even at the level of the command line tools, haven't even got as far as the server setup yet! My plan just…
user21693
  • 171
  • 1
  • 2
  • 4
6
votes
1 answer

Active Directory replication target principal name incorrect

I have a small 2 DC domain using Win 2008 R2 machines. Recently, one had to be restored using backup exec system recovery. Now the two are failing replication. I have ran DCDIAG on both (see below) and see that several things fail with target…
DontStealMyFish
  • 108
  • 1
  • 2
  • 12
6
votes
3 answers

Will kerberos work with CNAMEs if I have the SPN created for the A record as well?

We are currently setting up a SQL 2012 environment and it will be used for storing data that will be accessed by SSRS in sharepoint integrated mode. We will be using Kerberos for authentication. Something we would like to be able to do is use cnames…
AnthonyM
  • 161
  • 1
  • 1
  • 2
6
votes
2 answers

help using setspn and ktpass

I'm trying to set up the SPNs and create a keytab file for tomcat kerberos spnego Single sign on. the server running tomcat7 is ubuntu-ad1.wad.eng.hytrst.com the KDC is kerberos.wad.eng.hytrust.com the domain is WAD.ENG.HYTRUST.COM im using my ad…
Arthur Ulfeldt
  • 3,219
  • 9
  • 31
  • 40
5
votes
3 answers

Get SPN error when trying to join a machine to a domain

I am trying to join a Windows Server 2016 VM called BORON to a domain which has a Windows 2012 R2 domain controller. The DC name is SNOWDROP.DUCK.LOC When I try to join I get this error: The operation failed because SPN value provided for…
Mark Allison
  • 2,098
  • 7
  • 26
  • 45
5
votes
2 answers

Why does a SPN on a different host cause a server to lose its trust? How should I fix it?

I have a brand new server image that loses its trust as soon as it's joined to the domain. I suspect it's because of the duplicate SPN I discovered using the LDAP version of this Powershell script Powershell script #Set Search cls $search =…
makerofthings7
  • 8,821
  • 28
  • 115
  • 196
5
votes
3 answers

Kerberos - Adding a SPN to a Domain User

When adding a new SPN into the Kerberos domain, you have the option of mapping the SPN to a user. In general, I join the domain through Integrated Windows Authentication, and this creates a new computer account for the service, but now, I would like…
lululoo
  • 63
  • 1
  • 2
  • 7
4
votes
1 answer

Can I share one SPN between two service accounts?

I am running IIS and SQL Reporting Server on the same server. IIS runs as d\acct1 and SSRS is running as d\acct2. Initially, I registered an SPN HTTP/server.d.com for both d\acct1 and d\acct2 and configured both for unconstrained kerberos delegation…
Ryan Michela
  • 1,137
  • 3
  • 16
  • 23
4
votes
1 answer

Kerberos issues after new server of same name joined to domain

Environment: Windows Server 2012, 2 Domain Controllers, 1 domain. A server called Sharepoint1 was joined to the domain (running Sharepoint 2013 using NTLM). The fresh install for Sharepoint1 (OS and Sharepoint) is performed and set up for Kerberos…
MentalBlock
  • 41
  • 1
1
2 3 4