Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [spn]

a service principal name (SPN) that is used to identify an instance of a service in a particular domain

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

Before the Kerberos authentication service can use an SPN to authenticate a service, the SPN must be registered on the account object that the service instance uses to log on. A given SPN can be registered on only one account.

When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

MSDN, Service Principal Names

See also kerberos

60 questions
1
vote
0 answers

Configure HTTP SPN for a domain user account on Windows Server 2012R2

I have a Windows 2012R2 Server and I would like to use Kerberos authentication with my IIS web applications. How do I set the SPN and map the users for HTTP and HTTPS services for a given use account in Active Directory?
Peter
  • 11
  • 1
1
vote
0 answers

Issues identifying SPNs

Background We are performing a server move. In the process, new servers and service accounts have been created. I'm getting two issues which I think are related to SPN's: I've created some SQL Linked servers (using 'current security context', i.e.…
Nick.McDermaid
  • 221
  • 1
  • 2
  • 10
1
vote
1 answer

Is it possible for two legs of a service to have the same SPN? Or at least clients refer to a single identity?

For a WCF service "SuperService", installed on two separate servers "Server1" and "Server2" - is it possible to have a single SPN identity string to which the WCF client "SuperClient" can refer? Such that SuperClient can consume the service hosted…
Richard
  • 105
  • 2
  • 16
1
vote
0 answers

Setting up SPN for SSRS in a CRM load balance environment

I'm getting this exception randomly in a CRM load balance LIVE environment when running Reports from CRM. System.ServiceModel.Security.SecurityNegotiationException: A call to SSPI failed, see inner…
Jorge
  • 131
  • 6
1
vote
0 answers

Set SPN for all users in domain

I have a Windows 2008 R2 domain controller with more than 60 user accounts. Each time one of these users tries to connect to the DC authentication "falls back" to NTLM. Kerberos authentication fails because the users' SPNs are missing. I would like…
Stef
  • 612
  • 1
  • 6
  • 15
1
vote
2 answers

Windows Authentication KRB5KRB_AP_ERR_MODIFIED

Let me preface by saying, I've been on this issue for about a week and a half now and I can't figure it out. I think I'm close, but every time I've thought that so far, I was wrong. I've looked at every forum post I can think to search for and…
Code Maverick
  • 113
  • 1
  • 8
1
vote
1 answer

Clear SPN changes from server cache

We have in house IIS apps built on ASP .Net 2.0 running on IIS 7.5- Server 2008 R2 x64. Back end is SQL 2005. It uses Kerberos (Windows integrated) authentication. Once in a while we need to change SPNs that map the site name to the server, when a…
satchel_74
  • 65
  • 1
  • 7
1
vote
2 answers

IIS and Integrated Windows Authentication - login doesn't work for domain.com, works for IP address, localhost, 127.0.0.1

I've installed Windows Server 2003 R2 and IIS role (no Active Directory role). I've setup a virtual directory named 'test' and under Security tab of the 'test' Virtual Directory I've disabled the Anonymous login and enabled Integrated Windows…
colemik
  • 749
  • 1
  • 12
  • 24
1
vote
1 answer

RDP from 2008 R2 through a tunnel fails

I'm trying to RDP from a Win7 to a 2008 R2 machine through a tunnel (think SSH, but not exactly). It fails and the following is in the 2008 R2 (destination) event log: System Event Log, LsaSrv source, Event ID 6037 "The program lsass.exe, with the …
DougN
  • 670
  • 2
  • 7
  • 16
1
vote
0 answers

Kerberos Issue on Aliased SharePoint Web Front Ends

I am having a problem with Kerberos working on SharePoint. Also note that I am a developer not a network guy so if I use the wrong terms I apologize but I hope my intent is clear. We have two web front ends aliased to a single name say "SPPortal"…
Junx
  • 111
  • 4
1
vote
1 answer

Confusion about Kerberos, delegation and SPNs

I already posted this question on SO, but the nature of it is between programming and server configuration, so I'll re-post it here as well. I'm trying to write a proof-of-concept application that performs Kerberos delegation. I've written all the…
Vilx-
  • 791
  • 4
  • 13
  • 25
1
vote
1 answer

Restrict using Azure Service Principal by Humans

We have some people who are using SPs manually (themselves) to run commands and deploy resources from CLI. We need to prevent that and allow only services to use SPs, not Humans. Is there any way to do so?
agamil
  • 33
  • 6
1
vote
0 answers

Forest trust: SPN mismatch for non-fully-qualified name

Setup All computers running Windows Server 2019. Domain A Item Value Fully Qualified Domain Name DomainA DomainA.local User UserA UserA@DomainA.local Server FileServer FileServer.DomainA.local Domain B Item Value Fully…
Chris Stankevitz
  • 11
  • 3
1
vote
2 answers

RDP to an Alias

I have a server that has since been decommissioned and I have some services that have been moved over to another server however these servers still point to the old server so I have set up a Cname for the old server to the new one, however when I…
user2244590
  • 11
  • 2
0
votes
1 answer

Kerberos SPN for one FQDN on multiple servers

This is a bit of a weird one. I'm building a new web server hosted on a LAMP stack to replace an old IIS server. Its intended DNS name is currently occupied by the old server. I have SSL certificates set up for the new server, and configs ready to…
Philippe Haussmann
  • 1
1 2
3
4