Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [spn]

a service principal name (SPN) that is used to identify an instance of a service in a particular domain

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

Before the Kerberos authentication service can use an SPN to authenticate a service, the SPN must be registered on the account object that the service instance uses to log on. A given SPN can be registered on only one account.

When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

MSDN, Service Principal Names

See also kerberos

60 questions
3
votes
2 answers

setspn does not affect Active Directory Users

I run the setspn command for specific user on Domain Controller. C:\>setspn -s example/username.companyname.com username Checking domain DC=companyname,DC=com Registering ServiceprincipalNames for CN=username,CN=Users,DC=companyname,DC=com …
GriGrim
  • 91
  • 6
3
votes
2 answers

Are SPNs specific to Windows and Active Directory?

Are Service Principle Names specific to Active Directory on Windows? Or do they exist in Linux OpenLDAP / Kerberos KDC servers too?
leeand00
  • 4,807
  • 13
  • 64
  • 106
3
votes
1 answer

Kerberos Error APP_MODIFIED when using a CNAME DNS record

I have a production server, which I'll call CONTOSO\MachineA, running SQL Server. I have a development server, which I'll call CONTOSO\MachineB, running IIS. Both servers are running Windows Server 2008. I have a domain user, which I'll call…
Ethan Reesor
  • 165
  • 9
3
votes
2 answers

Why should I not run setspn.exe on the domain controller?

I found several references (see below) on blogs that the setspn.exe utility should be run from either a client or server machine in the domain, but not from the domain controller…
MvdD
  • 173
  • 2
  • 4
  • 10
3
votes
1 answer

SPN settings in a ADFS 3.0 lab setup

I am a developer trying to understand authentication with ADFS (2012 R2), so I am trying to setup an ADFS lab. I have found 2 guides: doc1 - http://technet.microsoft.com/en-us/library/dn280939.aspx doc2 -…
itaysk
  • 395
  • 2
  • 4
  • 9
3
votes
1 answer

What SPNs are needed for an intranet web service that reads remote registries

Imagine a website that shows the value of a remote registry key, live, such as the version of the anti-virus definitions on a remote PC. To be clear, there are 3 computers involved, the web server acting as a go-between. The website uses Windows…
Luke Puplett
  • 939
  • 2
  • 16
  • 24
3
votes
1 answer

SPNs and Kerberos Delegation

I would like to check my understanding. This is a fully hypothetical scenario below as I am currently studying for a certification. I have an IIS App Pool with a basic website, which accesses data from a SQL Backend. I want to setup Kerberos…
PnP
  • 1,684
  • 8
  • 37
  • 65
3
votes
1 answer

Why deploy Kerberos for Exchange 2010 SP1 RU3?

The first version of Exchange 2010 to support Kerberos is SP1 RU3. It does this through the RollAlternateServiceAccountCredential.ps1 commandlet. Besides implementing "better" security, does this offer any other benefits for disaster recovery,…
makerofthings7
  • 8,821
  • 28
  • 115
  • 196
2
votes
1 answer

SPN generation for multiple service account on a Web server

I am trying to achieve Azure SSO in my organisation. I have a web server hosting multiple websites and web application under those sites. Users access them in below fashion https:// < SiteName > / < ApplicationName > / We have a service account…
Dheeraj Kumar
  • 23
  • 3
2
votes
0 answers

Kerberos Double Hop - SQL2014 HA - MSA's

OK, so i'm at my wits end. We have a system which works perfectly in our UAT environment (not HA) but will not work in live. so the config is: dns A record to iis box binding in iis on :80 to dnsname HTTP/dnsname SPN HA SQL 2014 cluster dynamic…
Dan
  • 138
  • 2
  • 11
2
votes
1 answer

List all kerberized SPN's in Linux

Is there a way to list/show all SPN's in an kerberized AD using a Linux Client? In Windows one can use setspn -T -Q */* to get them. Is there something similar? Haven't found anything yet. Or is it even possible? Of course I request a TGT…
Thanathan
  • 123
  • 1
  • 4
2
votes
2 answers

Adding new SPNs to existing service ids

We have a tomcat server using spring-security kerberos to authenticate users to the webpage against active directory. There are around 25 domain controllers. The site has two CNAME based DNS aliases. The site currently has one Service ID with SPNs…
jmh
  • 146
  • 4
2
votes
2 answers

need help in setting up SPN for Kerberos Authentication

I am using IIS 7 for setting up a website under windows authentication. I am seeing authentication issue which i am almost sure that it is related to kerberos issue and i am wrongly setting up SPN. The scenario which i am using is as below. I have…
Manish Shukla
  • 121
  • 2
  • 4
2
votes
1 answer

Linux pod authenticate to MS-SQL windows server using keytab

Cannot get Kerberos auth working from linux to MS-SQL server on windows. Added new user in AD. New-ADUser -Name "user" -GivenName "user" -SamAccountName "user" -UserPrincipalName "user@my.domain" –AccountPassword (ConvertTo-SecureString "password"…
DevMops
  • 21
  • 3
1
vote
0 answers

New SPN required when renaming server?

I am in the process of decommissioning a Win 2008 server, that runs an app that uses Kerberos authentication, and has an SPN created for our service account. The replacement server will be renamed to match the old server. What I am unsure if is if…
MegaHurtz83
  • 11
  • 1
1
2
3 4