Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [spn]

a service principal name (SPN) that is used to identify an instance of a service in a particular domain

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

Before the Kerberos authentication service can use an SPN to authenticate a service, the SPN must be registered on the account object that the service instance uses to log on. A given SPN can be registered on only one account.

When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

MSDN, Service Principal Names

See also kerberos

60 questions
0
votes
1 answer

Why would setspn -q return "no such spn found" when setspn -l finds the spn?

I'm attempting to troubleshoot why windows authentication is failing for a website hosted in IIS at a customer site. When executing setspn -l serviceUser to list the spns associated with a service account we get the following output Registered…
Aaron Carlson
  • 133
  • 8
0
votes
0 answers

Duplicate SPN for File Server Alias

I have two Samba4 AD domain members that serve a couple of replicated shares to users at two sites (same domain, different subnets). Bandwidth and latency don't allow for a clustered solution, so replication between servers A and B runs periodically…
canut
  • 1
  • 3
0
votes
1 answer

Duplicate SPN's - ADFS

Trying to setup ADFS with AD Connect. I get an error message when trying to add the ADFS service account. The error states that there is already an existing service account in the directory with the ADFS service Service Principal Name (SPN). I ran…
Westfall_T
  • 3
  • 4
0
votes
1 answer

Web Application Proxy SPN Delegation

Hopefully this will be a quick one but I keep drawing a blank on how to do this even after some frantic searching online. I have recently been tasked with adding resiliency to our WAP (Web Application Proxy) farm as we are publishing more apps…
TheGrew
  • 3
  • 4
0
votes
1 answer

Add Service Principal Name to Keytab file on Windows

What command can I run on windows to add a SPN to a keytab file on Windows? It seems all the documentation I can find is for linux.
MagicL
  • 131
  • 2
0
votes
1 answer

How to set an SPN for SQL Server on a Workgroup

I'm trying to remote connect to my Sql server 2016 instance on my home server running on a workgroup. I need to set an SPN to do this. All the guides out there seem to be related to setting the SPN for domain situations, not workgroups. Here is the…
Calanus
  • 195
  • 1
  • 2
  • 9
0
votes
1 answer

Creating AD SPNs with realmd/sssd on Cent7

Is it possible to use the system tools provided by realmd/sssd on a CentOS7 system to create and write out service principals for Apache and other servers? Or are we still reliant on other tools, like samba-tool and setspn.exe?
nicotine
  • 101
0
votes
1 answer

IIS Credential Delegation for AppPool in Integrated Pipeline mode

I know there have been mkore than a dozen articles on this topic, but for some reason I have not been able to find a solution. Server WEB1 has IIS7.5 with a site using Windows Authentication (kernel mode off, provider: "negotiate:kerberos") and a…
Ablue
  • 1,140
  • 1
  • 12
  • 32
0
votes
1 answer

Multihop Kerberos delegation on IIS7 / Windows 2008

So here I am again dealing with probably the number one support question on IIS, SPNs. I am not a novice when it comes to this, having lived the pains of getting SSRS front ends to delegate for SQL and SSAS back-ends in a number of different…
tlum
  • 257
  • 1
  • 8
0
votes
1 answer

SPN's, Kerberos and IIS

I have a dns alias of MyWebServer, which points to the ip of a win 2008 r2 box running iis 7.5. I have the correct HTTP spn's set up for a domain user which has permissions to delegate to a nominated HTTP webservice using kerberos. IIS is…
GordonB
  • 131
  • 1
  • 4
  • 14
0
votes
2 answers

How to set the SPN for Postgres SSPI

I am trying to setup Postgres to support SSPI/Kerberos, however I think that I have not found out what the correct SPN that is needed to get it working. The background details: Service account for postgres: 'postgres' Domain Name:…
chotchki
  • 149
  • 1
  • 11
0
votes
0 answers

KRB5KRB_AP_ERR_MODIFIED trying to use SPN credentials

I'm trying to set up a Windows 2019 system as an SMB server to work with third-party software on an external, non-Windows system that uses Kerberos to authenticate to the SMB server. This SMB server is joined to an existing Active Directory domain…
Steve Talmage
  • 1
0
votes
0 answers

Right SPN for Kerberos Auth to Webservice

I developed a webservice (hosted with OWIN not IIS) where my users have to authenticate with their domain credentials. Currently it's using NTLM and everything is working fine but I want to switch to Kerberos, AFAIK I need to add a SPN to AD to make…
404_username_not_found
  • 3
  • 1
0
votes
0 answers

When is mapUser required -

I'm not sure I understand when & why mapUser is needed. When you generate a keytab with ktpass you can map the Service Principal to a user wit mapUser. You can then kinit to the Service from an other machine using that keytab. When trying the same…
Gonzalo Etse
  • 1
0
votes
1 answer

Samba AD: Create keytab for computer without net ads join?

Gist: I have set up a samba as AD DC. I'd like to export a keytab for SPNs for a computer account only without having the computer to run samba itself, or issue net ads join. Running samba-tool domain exportkeytab gives me no keys for the SPNs, and…
Technaton
  • 101
  • 2
1 2 3
4